Millenium RAT 4.* Enhances Stealth with Base64 and XOR Encryption

Millenium RAT version 4.* has evolved from .NET to native C++, utilizing a Telegram-based command-and-control model that eliminates the need for dedicated server infrastructure. The malware embeds its configuration in an RCDATA resource, obfuscating it with Base64 and a custom XOR layer, making detection difficult. Group-IB's analysis indicates that the RAT can perform various malicious activities, including keylogging, screenshot capture, and data exfiltration, all while using standard Windows API calls. The reliance on Telegram allows for blending malicious traffic with legitimate API calls, complicating network detection efforts. The malware is distributed by a group known as the Y2K Operators, with the developer marketed as ShinyEnigma. The rapid adoption of this RAT is evidenced by telemetry showing over 62,289 infected systems. This evolution poses significant challenges for cybersecurity defenses.

Key Points: • Millenium RAT 4.* uses Base64 and XOR for configuration obfuscation. • The malware operates via Telegram, complicating detection efforts. • Over 62,289 systems are reported to be infected by this RAT.