STX RAT: New Remote Access Trojan Targets Finance Sector with Advanced Evasion
A previously undocumented remote access trojan named STX RAT has been discovered targeting the financial services sector, employing multi-stage scripts, XXTEA encryption, and in-memory execution to evade detection.
A previously undocumented remote access trojan (RAT) named STX RAT has been identified following an attempted deployment in a financial services environment in late February 2026. The malware, tracked by eSentire's Threat Response Unit, uses a distinctive communication marker tied to its command-and-control (C2) traffic and demonstrates a high level of technical sophistication.
STX RAT is delivered through multi-stage scripts that escalate privileges and execute payloads directly in memory, avoiding traditional file-based detection. In one observed case, a VBScript file generated and launched a JScript component, which then retrieved a compressed archive containing the main payload and a PowerShell loader. The malware uses XXTEA encryption and Zlib compression for multi-stage unpacking, and employs reflective loading techniques to run entirely in memory.
Once active, STX RAT enables attackers to remotely control infected machines through a hidden virtual desktop, allowing actions to be carried out without the user's awareness. Its capabilities extend to harvesting sensitive information from browsers, FTP clients, and cryptocurrency wallets. The malware can also execute additional payloads, create network tunnels, and simulate user input.
Defensive evasion is extensive. STX RAT scans for virtual environments and terminates execution if analysis is suspected. It obscures internal strings using layered encryption techniques and delays its credential-stealing functions until it receives explicit instructions from its command server, reducing detectable behavior during automated analysis.
The malware's C2 communication uses encrypted protocols, making interception and analysis more difficult. eSentire noted that its design suggests ongoing development, with some features not yet fully operational. The researchers isolated the affected system to contain the threat and are continuing to monitor related activity.
Organizations in the financial sector are urged to strengthen endpoint protections and limit exposure to script-based attacks commonly used in initial compromise. The discovery of STX RAT highlights the persistent threat of sophisticated remote access trojans targeting high-value sectors.