Microsoft Defender Exposes Trojanized Gaming Tools Delivering RATs and Data Theft

Microsoft Threat Intelligence uncovered a campaign distributing trojanized gaming utilities like Xeno.exe and RobloxPlayerBeta.exe. These files deploy Remote Access Trojans that grant attackers full control over infected Windows machines. The malware spreads through browsers and chat platforms targeting gamers who trust familiar file names.

Once executed, the downloader stages a portable Java runtime and runs malicious JAR file jd-gui.jar. Attackers gain persistent access through scheduled tasks and startup scripts. The RAT connects to C2 server 79.110.49[.]15 for remote command execution and data exfiltration. Victims lose credentials, files, and system control silently.

Gaming communities face high risk. Casual users run executables from chats without suspicion. Attackers exploit this trust for maximum reach. Microsoft Defender exclusions embedded in the malware bypass local protection.

Attack Chain Breakdown

The infection follows a multi-stage process designed for stealth.

Stage 1: Initial Download

• Xeno.exe or RobloxPlayerBeta.exe dropped via browser/chat
• Portable Java runtime deployed automatically
• No pre-installed Java required

Stage 2: Execution and Persistence

• PowerShell + cmstp.exe (LOLBin) for stealth execution
• Scheduled task and world.vbs startup script created
• Downloader self-deletes after payload deployment

Stage 3: C2 Communication

• RAT phones home to 79.110.49[.]15
• Full remote control established
• Data exfiltration begins

Key Malware Components

File/Component	SHA-256 Hash	Purpose
decompiler.exe	48cd5d1ef968bf024fc6a1a119083893b4191565dba59592c541eb77358a8cbb	Initial downloader
jd-gui.jar	a33a96cbd92eef15116c0c1dcaa8feb6eee28a818046ac9576054183e920eeb5	Java payload/RAT loader
worldview.db-wal	4442ba4c60a6fc24a2b2dfd041a86f601e03b38deab0300a6116fea68042003f	RAT persistence data
world.vbs	65f003998af7dd8103607c8e18ef418b131ba7d9962bd580759d90f4ac51da36	Startup persistence script

C2 Infrastructure:

• IP: 79.110.49[.]15
• Domain/Port: powercat[.]dog:443

Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).

A malicious downloader… pic.twitter.com/87Yum5y78z

— Microsoft Threat Intelligence (@MsftSecIntel) February 26, 2026

Evasion Techniques

Attackers blend with legitimate activity:

• Uses cmstp.exe (legitimate Windows binary)
• Portable Java avoids installation detection
• Defender exclusion rules embedded
• Self-deleting downloader removes traces
• Familiar gaming utility names

Enterprise Risk

Work-from-home policies amplify damage. Personal gaming PCs access corporate VPNs. Stolen credentials enable lateral movement. Gaming during work hours increases exposure.

Immediate Response Steps

Security teams contain the threat:

• Block 79.110.49[.]15 and powercat[.]dog
• Hunt for listed SHA-256 hashes across endpoints
• Delete suspicious scheduled tasks and world.vbs
• Reset credentials on affected systems
• Remove Defender exclusions for malware components
• Isolate and wipe compromised endpoints

User Protection

Gamers stay safe:

• Download utilities only from official sites
• Scan executables before running
• Enable real-time antivirus protection
• Avoid chat-shared gaming files
• Block PowerShell from untrusted sources

FAQ