Technical Overhaul and C2 via Telegram
A remote access trojan known as Millenium RAT has undergone a major transformation, with version 4 now written entirely in native C++. This rewrite removes the previous dependency on the .NET framework, making the malware harder to detect and broadening the range of Windows machines it can target. The malware communicates with its operators exclusively through the Telegram Bot API, disguising command and control traffic as routine web activity and removing the need for a dedicated server.
Once executed, Millenium RAT loads an encrypted configuration that includes the Telegram bot token, chat ID, and settings for persistence and keylogging. The configuration is Base64 encoded and protected with a custom XOR algorithm, with added random data that changes the file hash to bypass signature based detection. The trojan can steal browser credentials and cookies, capture screenshots and webcam images, record audio, log keystrokes, pull Telegram and Discord session data, and encrypt victim files.
Scope of Infection and Delivery Methods
More than 62,000 devices have been compromised across over 160 countries, with over 39,000 infections occurring in the first quarter of 2026 alone. Analysts at Group-IB attribute the active exploitation to a cluster called the Y2K Operators. The malware is sold as Malware as a Service for $50 for the first month, $10 for renewals, or $90 for lifetime access.
The Y2K Operators rely entirely on social engineering to distribute the trojan. Files are disguised as credit card generators, crypto balance checkers, hacking toolkits, cracked software, and gaming utilities. In one notable tactic, the operators take known RATs and exploit builders, silently embed a backdoor, and redistribute the tampered files. A would be attacker downloads what appears to be a working tool and gets infected instead. In another campaign, victims received a shortcut disguised as a PDF that silently triggered PowerShell to fetch a decoy document alongside the RAT payload, opening the document in the foreground as cover.
Source: Cyber Security News
