A major evolution of the Millenium remote access trojan (RAT) has infected more than 62,000 Windows devices across over 160 countries while continuing to use Telegram bots for command-and-control.
Group-IB examined Millenium RAT version 4.*, which it says represents a significant architectural shift from previous .NET-based releases. The researchers attribute active malware campaigns to a threat cluster they track as Y2K Operators and identify the malware's developer as “ShinyEnigma.”
According to Group-IB, it identified 62,289 infected endpoints, with 39,730 infections occurring during the first quarter of 2026 alone, indicating a sharp increase in activity.
The malware is marketed as a malware-as-a-service (MaaS) offering. ShinyEnigma advertises Millenium RAT through underground forums, a dedicated website, and developer platforms including GitHub, GitLab, and Gitea, although several repositories have since been removed.
The service is priced at $50 for the first month, $10 for each additional month, or a $90 lifetime license, making the malware accessible to a wide range of threat actors.
Unlike earlier versions, Millenium RAT 4 is written in native C++, eliminating its dependency on the .NET framework. The malware also continues to use the Telegram Bot API for command-and-control communications, allowing operators to avoid maintaining dedicated C2 servers.
Once installed, the RAT can steal browser data, collect system information, log keystrokes, capture screenshots and microphone audio, access Telegram and Discord data, download and execute additional payloads, and run arbitrary Windows or PowerShell commands. It establishes persistence by copying itself into %APPDATA% and creating an autorun registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Despite its extensive capabilities, Group-IB notes that Millenium RAT does not rely on sophisticated exploits. Instead, it uses standard Windows API functions, including displaying legitimate User Account Control (UAC) prompts when attempting to obtain elevated privileges.
Researchers observed the malware being distributed through a wide range of social engineering lures, including cracked software, cryptocurrency utilities, hacking toolkits, OSINT tools, exploit builders, and Roblox-related cheats. In some campaigns, the operators even trojanized malware builders and offensive security tools, infecting cybercriminals attempting to download them.
One campaign analyzed by Group-IB used PDF-themed lures in which a malicious Windows shortcut launched PowerShell to download both a decoy PDF and the Millenium RAT payload. The legitimate document opened normally while the malware executed silently in the background before deleting the downloader script.
To blend into infected systems, payloads commonly adopted filenames associated with Windows components or security software, including svchost.exe, MsEdgeUpdate.exe, Microsoft Antivirus.exe, and setup.exe.
Group-IB recommends avoiding executables from untrusted sources, applying security updates promptly, enabling multi-factor authentication, and treating unexpected UAC prompts requesting administrator privileges with suspicion. Users should also monitor for unusual autorun registry entries and system-named processes executing from user-writable directories.
Leave a Reply