Listen to this Post

Introduction:
A new breed of Remote Access Trojan (RAT) has emerged, combining military-grade encryption with hidden remote desktop capabilities to operate with unprecedented stealth. First observed in late February 2026 targeting a financial-services organization, STX RAT (named for its consistent use of the STX magic byte \x02) represents a significant evolution in malware sophistication, featuring a multi-stage unpacking chain, X25519 ECDH key exchange, ChaCha20-Poly1305 encrypted C2 traffic, and a fully functional HVNC module that gives attackers silent, interactive control over compromised machines.
Learning Objectives:
- Analyze STX RAT’s multi-stage infection chain and in-memory execution techniques.
- Understand the cryptographic C2 protocol, including key exchange, authentication, and session encryption.
- Implement detection and mitigation strategies, including YARA rules, network monitoring, and endpoint hardening.
You Should Know:
- Multi‑Stage Infection Chain: From VBScript to Full Compromise
STX RAT typically arrives via a browser‑downloaded VBScript or a trojanized FileZilla installer. The initial VBScript concatenates JScript contents, writes them to disk, and executes them via `WScript` with elevated privileges. The JScript then downloads a TAR archive containing two files: `1.bin` (the STX RAT payload) and `2.txt` (a PowerShell loader). The PowerShell script reverses and Base64‑decodes 1.bin, allocates RWX memory using VirtualAlloc, copies the payload into the buffer, and transfers execution via Marshal.GetDelegateForFunctionPointer.
Step‑by‑step guide to analysing the loader:
- Extract the PowerShell loader from memory after the JScript runs.
- Identify the Base64‑encoded payload: look for a long string that is reversed and decoded.
- Use the following Python snippet to emulate the decoding:
import base64 encoded_payload = "..." reversed_str = encoded_payload[::-1] raw_bytes = base64.b64decode(reversed_str)
- Dump the raw payload to disk for static analysis.
- Monitor for `WScript.exe` executions from temporary folders using Sysmon event ID 1.
-
Cryptographic C2 Communication: Breaking Down the Secure Protocol
STX RAT protects all C2 traffic with a well‑designed cryptographic scheme:
– Key exchange: X25519 ECDH derives a per‑session shared secret.
– Server authentication: Ed25519 validates the C2’s X25519 public key using an embedded public key (4DwvIfxy4thDpGXKYjew8MTI1jYwFEIs2oHuW35BtVM=).
– Encryption: ChaCha20‑Poly1305 provides confidentiality and integrity.
– Framing: Length‑prefixed TCP messages with format [nonce(12) || ciphertext || tag(16)].
Step‑by‑step guide to decrypting captured STX RAT traffic:
- Hook `CryptGenRandom` in the malware process to dump the victim’s ephemeral X25519 private key (32 bytes).
- Use the following Python snippet to derive the shared secret and decrypt messages:
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives.kdf.hkdf import HKDF from cryptography.hazmat.primitives import hashes</li> </ol> victim_priv = X25519PrivateKey.from_private_bytes(victim_private_bytes) c2_pub = X25519PublicKey.from_public_bytes(c2_public_bytes) shared_secret = victim_priv.exchange(c2_pub) hkdf = HKDF(algorithm=hashes.SHA256(), length=32, salt=None, info=None) chacha_key = hkdf.derive(shared_secret) cipher = Cipher(algorithms.ChaCha20(chacha_key, nonce), mode=None) decryptor = cipher.decryptor() plaintext = decryptor.update(ciphertext) + decryptor.finalize()
3. Verify the Poly1305 tag if present; the absence of a tag often indicates a C2 command.
- Stealth and Evasion: Anti‑VM, Anti‑Analysis, and AMSI Ghosting
STX RAT employs multiple evasion techniques:
- Anti‑VM: Scans for VirtualBox, VMware, and QEMU artifacts (files, registry keys, services). If detected, it performs a “jitter exit” – sleeps with a random delay and terminates.
- Process name check: Ensures it runs under `powershell.exe` or
msbuild.exe, otherwise exits. - PEB BeingDebugged flag: Checks for debugger presence.
- AMSI Ghosting: Patches `rpcrt4!NdrClientCall3` to disable the RPC layer that AMSI depends on.
- String obfuscation: Uses rolling XOR (starting keys like
0x39) and AES‑128‑CTR encrypted strings decrypted on demand.
Step‑by‑step guide to bypassing anti‑analysis:
- Patch the `BeingDebugged` flag in the PEB:
(BYTE)((BYTE)NtCurrentTeb()->ProcessEnvironmentBlock + 2) = 0. - Hook `GetModuleFileNameW` to return a process name containing “powershell”.
- Use the eSentire IDA Python script to automatically decrypt rolling‑XOR and AES strings (available at the GitHub repo listed in the blog).
- Example YARA rule to detect the XOR‑decryption loop:
rule STX_RAT_XOR_LOOP { strings: $xor_loop = { 8A 04 0A 32 01 88 04 0A 40 3B C2 7C F? } condition: $xor_loop } -
HVNC and Stealthy Remote Access: How Attackers Hide in Plain Sight
The most dangerous feature of STX RAT is its Hidden Virtual Network Computing (HVNC) module. Upon receiving a `start_hvnc` command, the malware creates a completely separate desktop session running in the background. Attackers can inject keystrokes (
key_press), simulate mouse movements (mouse_input), scroll applications (mouse_wheel), and paste content (paste) using the Windows `SendInput` API – all while the victim continues working normally on their visible desktop.Step‑by‑step guide to detecting HVNC activity:
- Monitor for calls to `CreateDesktop` and `SwitchDesktop` APIs via API hooking or ETW.
- Look for anomalous `SendInput` sequences targeting non‑foreground windows.
- Use the following PowerShell snippet to enumerate all desktops and their windows:
Add-Type @" using System; using System.Runtime.InteropServices; public class Desktop { [DllImport("user32.dll")] public static extern IntPtr OpenDesktop(string lpszDesktop, uint dwFlags, bool fInherit, uint dwDesiredAccess); } "@ - Investigate any desktop named other than “Default” or “Winlogon”.
5. Data Exfiltration and Credential Theft
STX RAT’s infostealer module is gated by C2 interaction – it only activates after receiving a `get_creds` command. The malware targets:
– Browsers: Firefox, Chrome, Edge, Brave, Vivaldi (cookies and passwords).
– FTP clients: FileZilla, WinSCP, Cyberduck (via enumeration of `%APPDATA%` and registry keys).
– Crypto wallets: Litecoin‑Qt, Zcash, Electrum, Bitcoin‑Qt, bytecoin.
– Windows Vault: UsesVaultEnumerateVaults,VaultOpenVault, and `VaultGetItem` APIs.
– Screenshot: Captures the victim’s desktop via `BitBlt` before transmitting stolen data.Step‑by‑step guide to extracting stolen credentials from memory:
- Dump the process memory of `powershell.exe` or `msbuild.exe` after the malware runs.
- Search for SQLite database headers (
53514C69746520666F726D6174) to locate browser credential files. - Use the following Python script to decrypt Chrome’s AES‑256‑GCM encrypted passwords (requires DPAPI):
import win32crypt with open("Login Data", "rb") as f: data = f.read() decrypted = win32crypt.CryptUnprotectData(data) - Monitor for `BitBlt` calls with a source DC that does not belong to the foreground window – a strong indicator of screenshot capture.
6. Persistence Mechanisms: Multiple Ways to Survive Reboots
STX RAT establishes persistence through several techniques:
- HKCU Run: Launches `autorun.ps1` which decrypts the payload from
%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.2.db. - MSBuild project file: Executes a C project that decrypts and injects the payload.
- COM object hijacking: Sets a scriptlet as the default handler for a COM CLSID, causing automatic execution.
Step‑by‑step guide to removing STX RAT persistence:
- Run `reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and look for entries pointing to `autorun.ps1` or `MSBuild.exe` with a `.proj` file.
- Search for any `.sct` files in `%TEMP%` or `%APPDATA%` that contain JScript.
- Use Autoruns from Sysinternals to inspect COM hijacking entries under
HKCU\Software\Classes\CLSID.
4. Remove the following registry keys if present:
HKCU\Software\Classes\TypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\2\1.1\0\win647. Defensive Measures and Mitigation Strategies
Based on eSentire’s Threat Response Unit recommendations, implement the following controls:
- Redirect suspicious file extensions via GPO to `notepad.exe` for
.js,.jse,.vbs,.vbe,.wsf,.hta,.wsh. - Disable `wscript.exe` using AppLocker or WDAC for both 32‑bit and 64‑bit versions.
- Block known C2 infrastructure: IP `95.216.51.236` and any associated Tor onion addresses.
- Deploy YARA rules from eSentire’s GitHub repository to detect both packed and unpacked payloads.
- Enable PowerShell logging (ScriptBlock Logging, Module Logging, and Transcription) to capture in‑memory execution.
- Use an EDR solution that monitors for `VirtualAlloc` + `WriteProcessMemory` + `CreateRemoteThread` sequences.
What Undercode Say:
- STX RAT is not a script‑kiddie tool: Its use of X25519, Ed25519, ChaCha20‑Poly1305, and a custom length‑prefixed protocol indicates a highly skilled developer with deep knowledge of cryptography and Windows internals. This is a professional‑grade RAT designed for persistent, stealthy operations.
- HVNC changes the game: By enabling silent interactive control, STX RAT allows attackers to bypass multi‑factor authentication on internal platforms, stage lateral movement, and exfiltrate data without any visible signs on the victim’s screen. Traditional endpoint visibility is blind to this activity.
Prediction:
STX RAT will likely be adopted by multiple cybercriminal groups and possibly state‑sponsored actors within the next six months. Its modular architecture and robust encryption will inspire copycats and variations. Defenders must shift from signature‑based detection to behavioural analytics that identify anomalous API call patterns, hidden desktop creation, and memory‑only execution. Organisations that fail to disable legacy script hosts (VBScript, JScript) and implement application whitelisting will remain vulnerable to this and similar threats.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jamie Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:


