Millenium RAT Rewritten in C++ Infects Over 62,000 Devices Globally
The Millenium RAT, now rewritten in C++ and sold as Malware-as-a-Service by the Y2K Operators, has compromised more than 62,000 devices worldwide, stealing credentials and encrypting files.
A sophisticated remote access trojan (RAT) known as Millenium RAT has seen a dramatic surge in infections, compromising over 62,000 devices across more than 160 countries. The malware, initially observed in late 2023, has undergone a significant transformation, with its latest version, v4, completely rebuilt in native C++ from its previous .NET foundation. This rewrite enhances its stealth capabilities by removing .NET dependencies and making it harder for security solutions to detect.
Analysts at Group-IB have attributed the ongoing exploitation campaign to a threat actor cluster they've dubbed the 'Y2K Operators.' The malware's developer, operating under the alias 'shinyenigma,' actively promotes and sells Millenium RAT as a Malware-as-a-Service (MaaS) on underground forums and even public platforms like GitHub. Pricing is notably low, starting at $50 for the first month, with renewals at $10 or a lifetime access fee of $90, making it accessible to a wide range of aspiring cybercriminals.
The operational scope of Millenium RAT is extensive, with victims ranging from individual users to those seeking to leverage the tool for their own malicious activities. The Y2K Operators employ broad social engineering tactics to distribute the RAT, casting a wide net to maximize infections. The significant increase in compromised devices, with over 39,000 infections reported in the first quarter of 2026 alone, indicates an active scaling of operations and a growing threat.
Once executed on a victim's machine, Millenium RAT establishes persistence by copying itself to the %APPDATA% directory and creating a registry autorun entry. It communicates with its operators via the Telegram Bot API, disguising command-and-control (C2) traffic as legitimate messaging activity and eliminating the need for a dedicated C2 server. Configuration data, including the Telegram token, chat ID, and operational settings, is embedded within the malware, protected by Base64 encoding and a custom XOR algorithm, further evading signature-based detection.
The RAT's capabilities are comprehensive, designed to provide attackers with extensive control over compromised systems. It can steal sensitive information such as browser credentials and cookies, capture screenshots and webcam feeds, record audio, log keystrokes, and exfiltrate session data from popular messaging applications like Telegram and Discord. Additionally, it possesses file-encrypting capabilities, suggesting a potential for ransomware operations.
The Y2K Operators rely heavily on social engineering to deliver the malware. They disguise malicious files as legitimate tools such as credit card generators, crypto balance checkers, hacking utilities, cracked software, and gaming applications. Filenames are crafted to entice immediate execution. In a particularly deceptive tactic, they embed backdoors into existing RATs and exploit builders, then redistribute these tampered files, tricking users into downloading and running malware disguised as useful tools.
To mitigate the risks associated with Millenium RAT, users are advised to exercise extreme caution with unsolicited prompts, especially User Account Control (UAC) requests. Avoiding the execution of files from untrusted sources, using non-administrator accounts for daily tasks, maintaining up-to-date system patches, and enabling multi-factor authentication are crucial steps. The malware's reliance on user trust and standard Windows API calls, rather than zero-day exploits, underscores the importance of user vigilance in preventing infections.
With its low cost, broad capabilities, and continuous development, Millenium RAT poses a persistent and growing threat. The shift to C++ and the use of Telegram for C2 communication demonstrate an adaptive approach by the Y2K Operators to evade detection and maintain operational effectiveness. The widespread global reach and the active scaling of its distribution highlight the urgent need for increased awareness and robust security practices.