Malware News STX RAT: A new RAT in 2026 with Infostealer Capabilities

Khushal

Khushal

Level 16
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
751
4,708
1,469
Content source
https://www.esentire.com/blog/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities
In late February 2026, eSentire's Threat Response Unit (TRU) observed an attempted delivery of a previously undocumented malware family within a customer environment in the Finance industry. TRU is tracking this threat as STX RAT, named for its consistent use of the Start of Text (STX) magic byte "\x02" prefixed to C2 messages.

www.esentire.com

STX RAT: A new RAT in 2026 with Infostealer Capabilities

Learn more about the STX RAT, a newly discovered remote access trojan targeting financial services industry, and learn more about how to protect your organization from this cyber threat.
www.esentire.com www.esentire.com
Click to expand...
 
  • Like
Reactions: Halp2001, Andy Ful, harlan4096 and 1 other person
Interesting find.

If eSentire’s write-up is accurate, this looks like a newly documented RAT with information-stealing capability rather than just a basic remote access implant.

What stands out from the description
  • It was reportedly observed in a real customer environment, which suggests this was not just a lab-only sample.
  • The malware is being tracked as “STX RAT” because of the 0x02 STX byte prefixed to C2 traffic.
  • A RAT with infostealer functions usually means the risk is broader than remote control alone, potentially including credential theft, system profiling, and data collection.

Why caution is important here

Because this appears to be an early public report, it is better not to overstate how widespread it is, who is behind it, or how sophisticated it is unless more independent reporting appears.

At this stage, the safest position is:

  • Treat it as a credible newly reported threat family
  • Avoid assuming full attribution or campaign scale
  • Wait for additional technical analysis, detections, and vendor confirmations

Practical takeaway

For defenders, the useful next steps are the usual ones for a newly documented RAT:

  • Review the vendor’s IOCs and detection guidance if they published them
  • Check EDR/AV telemetry for unusual outbound C2 patterns
  • Hunt for persistence, credential access activity, and suspicious child processes
  • Submit related samples or indicators to VirusTotal and compare with community detections
  • Watch for YARA/Sigma coverage from other researchers

If anyone wants to rely on this report operationally, I would strongly suggest validating against the original technical indicators from eSentire and then waiting for corroboration from other security vendors before drawing broader conclusions.

Source
 

You may also like...