Advanced Threat: All-in-One RAT Combines Credential Theft, Ransomware, DDoS, and More

Steaelite: A Remote Access Trojan with Multiple Malicious Capabilities

A recently discovered remote access trojan (RAT) has been found to combine multiple malicious capabilities into a single, web-based control panel. Dubbed Steaelite, this malware-as-a-service (MaaS) offering has been advertised on cybercrime forums since November 2025 and targets Windows 10 and 11 systems.

Capabilities and Features

Upon infection, Steaelite immediately begins exfiltrating stored passwords and cookies from browsers, with notifications sent to the attacker via a Discord bot integration. The RAT’s control panel provides various modules for managing victim systems and conducting post-exploitation activities.

• Remote code execution (RCE) module for deploying commands with a single click and receiving output in the browser.
• File manager module for unrestricted access to browse and manipulate files on the compromised system.
• Developer tools section with modules such as a keylogger, User Account Control (UAC) bypass tool, and a crypto clipper for replacing copied cryptocurrency wallets with the attacker’s own.
• Client-to-victim chat module for social engineering tactics.

Advanced Tools and Features

The RAT also includes an advanced tools section, which features a module for deploying ransomware, enabling attackers to conduct double extortion attacks. Other advanced tools include:

• Hidden Remote Desktop Protocol (RDP) module.
• Windows Defender management modules.
• Module for installing additional payloads.
• Process management, clipboard management, password recovery, and VB.NET compilation modules.

Furthermore, Steaelite’s control panel includes a module for launching distributed denial-of-service (DDoS) attacks. A pop-up advertisement for an upcoming Android ransomware tool appears upon logging in to the dashboard, indicating the MaaS’ continued development and addition of new features.

The researchers warn that tools like Steaelite make it easier for attackers to conduct double extortion attacks without the need to coordinate between initial access brokers, affiliate-based ransomware gangs, and separate payloads for access, exfiltration, and encryption.

The blurring of lines between data theft and ransomware at the tooling level poses a significant threat to organizations. As researchers note, stopping ransomware at the point of encryption may be too late if the data has already been exfiltrated through the same tool’s exfiltration modules.

About Author

Vaibhav

See author's posts