New malware called STX RAT was discovered as the first RAT to be able to use invisibility techniques and perform a variety of operations. This was first seen in February 2026 when it attacked a Financial Institution. STX was also noted for its ability to evade detection and provide access controls for both information stealing and backdoor use.
The RAT's name is derived from the consistent use of the Start of Text (STX) magic byte that is added to each command-and-control (C2) communication—it is a valuable tracking mechanism for researchers studying the RAT.
What Is STX RAT?
The STX RAT is a backdoor program developed for the .NET framework that has long-term access to a computer for the purposes of stealing data. The STX RAT offers both hidden remote desktop control and credential theft functionality, appealing to ransomware affiliates needing reliable access to deploy their ransomware or reliable access after deploying ransomware.
Key technical highlights include:
1. A multi-step process used to extract files from an encrypted archive using XXTEA encryption and Zlib compression
2. Running an executable file from memory only with either PowerShell or reflective loader methods to avoid detection through traditional database scans, which means no evidence of the execution can be found in the operating system's file system.
3. Detecting whether or not the victim system is a virtual machine (sandbox) and delaying the execution of certain functions controlled by the Command & Control server (C2). The execution of specific functions will occur only upon direction by the Command & Control server (C2).
4. HVNC (hidden virtual network computing) provides complete control of a victim’s computer through the use of a completely hidden terminal.
Core Capabilities
1. Hidden Remote Access (HVNC) - HVNC's main advantage is offering a hidden desktop through which commands can be executed without the legitimate user knowing (i.e. Useful for doing hands-on keyboard on Ransomware attacks).
2. Infostealer Functionality - This component will only activate after receiving a specific command from the Command & Control server (i.e. the "getcreds" command), thereby limiting the amount of observable [to the sandboxed environment or when the Command & Control] evidence that there is a cyber-attack in progress.
The targets for the Infostealer component are as follows:
a) Browser Credentials and Cookies (e.g., Chromium, Firefox, SeaMonkey)
b) Windows Vault and Credential Manager Data
c) FTP Client Credentials (e.g., FileZilla, WinSCP)
d) Cryptocurrency Wallets (e.g., Litecoin-Qt, Electrum)
3. Persistence Mechanisms - Registry-based autorun entries and COM object hijacking will ensure the malware remains present and retains its functionality after rebooting.
4. Additional features of the Infostealer include:
a) Network Tunnelling
b) File Execution and System Manipulation
c) User Input Simulation (mouse/keyboard control through the hidden desktop).Delivery and Initial Access
Delivery and Initial Access
STX RAT is typically delivered through opportunistic methods:
1. Trojanized installers of legitimate software (e.g., fake FileZilla or CPUID HWMonitor downloads)
2. Malware that can be downloaded from sites that have been compromised or that have been set up for use as fake sites in order to distribute malicious VBScript (now known as Jscript) file(s).
3. Scripts that will escalate their permission levels and load the payload into memory will be multi-staged scripts.
And for this supply-chain like form of delivery, it is obvious that it is effective against users that have confidence in common tools.
Why Ransomware Affiliates Like STX RAT
Ransomware affiliates and ransomware groups need to have access to corporate networks prior to them getting encrypted, so they will have stable and less detectable access to them.
Here are some features of STX RAT that provides affiliates with stable and less detectable access:
1. Low Detection Rates Because of In-Memory Execution and Delayed Activation of the Stealer
2. Hydraulic VPN ‘HVNC’ Provides Quieter Interaction and Ideal for Movement Laterally and Reconnaissance as Well As Control
3. Created with .NET, Affords Ease (And Speed) to Adapt to and to Integrate into Other Tools Commonly Used in Ransomware Operations
4. Gated Capabilities to Decrease Early Detection Risk In Initial Access Stage
Its emergence fits the broader 2026 trend of more modular, evasive tools being shared or sold in underground markets for use by ransomware-as-a-service (RaaS) affiliates.
Risks and Impact
The STX RAT creates high-risk scenarios that cause significant harm to many financial and other data-driven industries. When an organization has its systems targeted by the STX RAT, the following results are possible:
1. Theft of customer credentials for future attacks
2. Complete remote control of compromised devices
3. Data removal from compromised systems before ransomware is installed
4. Longer periods of time that a target is "living" on-the-net and will require significant time to resolve all incidents.
For small to medium-size businesses and start-ups, this risk is less direct, but can present a high-level threat through the potential for third-party supply chain issues or the downloading of trojanized tools by employees.
Practical Defense Tips
1. Do not download files from the Internet other than from sources you trust or official sources.
2. Configure Microsoft Windows by default to open .vbs and .js files with benign applications like Notepad instead of running these automated files when opened.
3. Use heuristics-based endpoint detection by monitoring for in-memory execution, abnormal use of PowerShell commands, and hidden desktop session activity.
4. Implement application control by limiting access to unauthorized .NET executables where applicable.
5. Monitor for HVNC indicators: Look for unusual desktop session activity or hidden processes.
6. Regularly patch systems and employ the principle of least privilege: Minimize the attack surface for initial access.
7. Instruct employees not to run any unknown installers (even though you may personally be familiar with the installer).
The most effective way to protect your organization from the constantly increasing number of cyber threats like the STX RAT Virus is to utilize a combination of multiple layers of technical controls and user education.
Key Takeaways
1. On February 26th 2026, the STX RAT virus was discovered by researchers as one of the most sophisticated RAT viruses created on the .Net coding platform that possesses advanced stealth features and a Hidden Virtual Network Connection (HVNC) capability.
2. The STX RAT has both remote access capability and a gated info stealing capability, allowing affiliate members of ransomware groups to continue to maintain an extremely low level of persistence and profile.
3. The STX RAT often comes from a legitimate application that has been trojanized after being legitimately updated.
4. The STX RAT virus has several mechanisms for avoiding detection, including keeping its code in memory only, encryption, delaying execution of parts of its code, etc.
5. Companies should make proactive attempts to block untrusted downloads, as well as to monitor for advanced remote access activities that may indicate an infected user.
With the evolution of ransomware operations becoming more sophisticated in 2026, RATs like STX RAT places a greater emphasis on the need for proactive, behaviorally based defenses rather than traditional signature based defenses.