K.G.B RAT Emerges on Dark Web with Stealth, Automation, and Built-In Evasion Tools
A new remote access Trojan bundle called K.G.B RAT is being advertised on an underground cybercrime forum, where the seller claims it offers complete stealth, integrated evasion tools, and turnkey features for compromising Windows systems. The package includes a crypter (tools that obfuscate or encrypt malware to hide its code from antivirus engines during scanning or execution) that regularly updates to change its appearance, making it harder for defenders to rely on static signatures or memory scans. The seller also promotes the ability to generate multiple payload formats, broadening delivery options across email, removable devices, and compromised sites. One of the most concerning additions is HVNC, which creates an invisible desktop session that allows attackers to interact with the victim’s system while remaining out of view, enabling them to conduct account access, financial fraud, or internal network reconnaissance. Persistence capabilities, including bypasses of user account controls and other security features, further indicate that the RAT is intended for long-term operations rather than short-lived compromises. Though criminal advertisements tend to exaggerate their capabilities, the attention on automated obfuscation, payload builders, and trusted-looking remote access channels mirrors the broader shift toward commoditized malware kits. The K.G.B RAT offering underscores how the threat landscape continues to shift toward easy-to-use, “as-a-service” attack platforms that lower the barrier to entry for inexperienced operators. Claims of antivirus evasion and permanent bypasses for Windows Defender follow predictable criminal marketing patterns but still highlight a problem for defenders: integrated crypters and hidden remote sessions complicate traditional detection. Security teams should place stronger weight on behavioral monitoring, including alerts tied to unusual remote-session creation, background desktop activity, or suspicious scripting behavior. Endpoint controls, network segmentation, and enforced multi-factor authentication remain essential for limiting the scope of any intrusion. Organizations should also pay close attention to intelligence indicators referencing embedded crypters, HVNC activity, or rapid-update RAT toolkits, as these often signal emerging campaigns. This information is provided purely for awareness to help defenders recognize and block evolving dark web threats, and any handling or analysis of malicious tools must be restricted to trained professionals in controlled research environments.
Sryxen Stealer Pushes Browser-Focused Theft and Heavy Anti-Analysis Tactics
A new Windows information stealer, Sryxen, is gaining attention for its focus on browser data and its unusually defensive design, aimed at slowing down analysts. Sold as a malware-as-a-service offering, it collects browser credentials, cookies, Discord tokens, VPN details, social accounts, and crypto assets, then sends everything to operators through Telegram. It runs under the victim’s logged-in user to take advantage of Windows’ Data Protection API, ensuring protected data decrypts without resistance. Its standout feature is its method for bypassing Chrome’s App-Bound Encryption, which was meant to block traditional cookie theft. Instead of cracking the encryption, it launches Chrome in a headless state and asks the browser to decrypt its own cookies via DevTools, giving the attacker clean data without needing to extract the key. It applies established password-decryption chains across Chromium, Firefox, and Discord data, using master keys and browser profiles to recover stored secrets. Once running, it performs a broad sweep of supported browsers, pulling passwords, history, bookmarks, and any relevant tokens it can identify. Behind the scenes, Sryxen works hard to frustrate defenders. Its primary theft function remains encrypted when idle and decrypts in memory via a vectored exception handler when execution reaches intentionally invalid instructions. After running, it re-encrypts itself, leaving analysts with almost nothing to view during static or memory inspection. Multiple anti-debug checks add more friction, although the implementation is not perfect, and a determined analyst can still extract the logic with careful single-stepping. Its anti-virtualization checks are minimal, which leaves some openings for investigation. After gathering data, Sryxen organizes everything in a hidden directory under TEMP, compresses it with PowerShell, and uploads it directly to a Telegram bot before exiting. It avoids persistence, which reduces long-term visibility, but its reliance on headless Chrome, DevTools flags, PowerShell archiving, and direct outbound traffic to Telegram creates several opportunities for monitoring. For enterprise defenders, Sryxen highlights how rapidly Windows stealers are adapting to browser hardening and reinforces the value of behavioral detection focused on suspicious browser launches and automated exfiltration patterns.
Velociraptor Abuse Becomes a Go-To Move for Modern Ransomware Operations
Recent investigations by Huntress have revealed an apparent rise in attackers misusing Velociraptor, a trusted DFIR tool, to maintain covert access and move laterally within enterprise networks. Huntress documented several events from September through November where threat actors first exploited major vulnerabilities, then quickly installed Velociraptor to operate with SYSTEM-level authority. Two of the incidents stemmed from the ToolShell vulnerability chain affecting SharePoint, where attackers bypassed authentication and executed commands through a modified web shell. Another case involved WSUS being abused to push malicious MSI packages, revealing how core administrative services can turn into high-impact entry points when unpatched. Across all cases, Velociraptor ran as a persistent Windows service and blended in with normal administrative traffic, allowing malicious activity to masquerade as routine system management. These overlapping tactics highlight a growing trend: financially motivated groups are gravitating toward legitimate security tools to avoid standing out during investigations. Once installed, attackers configured Velociraptor to reach Cloudflare-hosted C2 endpoints, often reusing the same tunnel domains across unrelated incidents. The activity matched infrastructure previously tied to Storm-2603, a cluster known for exploiting ToolShell since mid-year. Operators used Velociraptor’s built-in capabilities to run PowerShell commands, map out high-value accounts, and retrieve additional tooling. They frequently paired it with Visual Studio Code’s remote tunneling features, creating secondary C2 channels that appeared both signed and trusted, making detection far more challenging. Despite the sophistication, analysts also observed clear slip-ups, including failed attempts to start services that didn’t exist and repeated errors when creating user accounts. These mistakes contrast with the otherwise coordinated reuse of infrastructure across Cloudflare tunnels and MSI distribution sites, suggesting either shared tooling or loosely aligned operators working from the same playbook.
