A sophisticated remote access trojan (RAT) known as Millenium RAT has been rapidly proliferating, compromising over 62,000 devices across more than 160 countries. Notably, more than 39,000 of these infections occurred in the first quarter of 2026 alone, indicating a significant escalation in its deployment.
Initially identified in November 2023 as version 2.4, Millenium RAT has undergone substantial evolution. The latest iteration, version 4, has been completely rewritten from .NET to native C++, eliminating the need for .NET dependencies on target systems and enhancing its stealth capabilities. This rewrite also complicates detection efforts by security software.
The malware is distributed as Malware-as-a-Service (MaaS) by a developer known as “shinyenigma,” who promotes it on underground forums and platforms like GitHub. The service is offered at $50 for the first month, with subsequent renewals at $10, or a lifetime access option for $90. This pricing model makes it accessible to a wide range of threat actors, contributing to its widespread adoption.
Millenium RAT’s functionality is extensive. It can steal browser credentials and cookies, capture screenshots and webcam images, record audio, log keystrokes, and extract session data from applications like Telegram and Discord. Additionally, it has the capability to encrypt files on the victim’s system. Communication with the operators is conducted through the Telegram Bot API, allowing command-and-control traffic to blend seamlessly with regular web activity, thereby avoiding the need for a dedicated server.
Upon execution, the RAT loads an encrypted configuration file containing critical information such as the Telegram bot token, chat ID, persistence settings, and keylogger options. This data is Base64-encoded and protected with a custom XOR algorithm, with additional random data included to alter the file hash and evade signature-based detection methods.
Persistence is achieved by copying the payload into the %APPDATA% directory and adding a registry autorun entry. The malware also attempts privilege escalation by prompting the user with a standard Windows User Account Control (UAC) dialog, relying on the user to grant elevated permissions. Notably, Millenium RAT does not exploit zero-day vulnerabilities; instead, it leverages standard Windows API calls, making its success heavily dependent on social engineering tactics.
The operators behind Millenium RAT, identified as the Y2K Operators, employ diverse social engineering strategies to distribute the malware. They utilize trojanized tools and lures designed to appeal to a broad spectrum of targets, from individual users to aspiring cybercriminals. This approach has resulted in a rapid increase in infections, particularly in early 2026, suggesting an active and expanding operation.
The global reach and rapid proliferation of Millenium RAT underscore the evolving landscape of cyber threats. The shift to a C++ codebase and the use of Telegram for command-and-control highlight the adaptability of modern malware. Organizations and individuals must remain vigilant, employing robust security measures and user education to mitigate the risks posed by such sophisticated threats.
