STX RAT: A New Remote Access Trojan Targets Finance Sector With Advanced Stealth Tactics

In late February 2026, a previously undocumented remote access trojan—dubbed STX RAT—was uncovered during an attempted attack on a financial services firm. This sophisticated malware, identified by eSentire’s Threat Response Unit, employs advanced stealth tactics and encrypted communications to evade detection and steal sensitive data. Its emergence signals a growing threat to the finance sector, where attackers are increasingly leveraging complex delivery chains and in-memory execution.

How STX RAT Delivers Its Payload

The STX RAT delivery chain is notably intricate, relying on multi-stage scripts to gain initial access. Attackers use opportunistic methods, such as browser-downloaded scripts and trojanized installers, to infiltrate systems. In one observed case, a VBScript file launched a JScript component, which then retrieved a compressed archive containing the main payload and a PowerShell loader.

This approach avoids traditional file-based detection by executing payloads directly in memory. The malware uses XXTEA encryption and Zlib compression for multi-stage unpacking, making analysis more difficult for security tools. Additionally, it employs reflective loading techniques via PowerShell to maintain persistence through registry-based autorun and COM hijacking.

Advanced Stealth and Evasion Tactics

A defining feature of STX RAT is its encrypted communication protocol, which secures data exchanges between infected systems and attacker infrastructure. This modern cryptographic method complicates interception and analysis. Moreover, the malware delays its credential-stealing functions until it receives explicit commands from its command server, reducing detectable behavior during automated analysis.

Defensive evasion is extensive. The trojan scans for virtual environments, terminates execution if analysis is suspected, and obscures internal strings using layered encryption. These advanced stealth tactics make it challenging for standard endpoint protections to detect the threat in real time.

Broad Surveillance and Control Capabilities

Once active, STX RAT enables attackers to remotely control infected machines through a hidden virtual desktop, allowing actions without user awareness. Its capabilities extend to harvesting sensitive information from browsers, FTP clients, and cryptocurrency wallets. The malware can also execute additional payloads, create network tunnels, and simulate user input.

The command structure supports a wide range of post-exploitation actions, from credential extraction to full system interaction. eSentire noted that its design suggests ongoing development, with some features not yet fully operational. This indicates the threat may evolve further, targeting additional sectors.

Protecting Against STX RAT and Similar Threats

To defend against STX RAT and similar remote access trojans, organizations must strengthen endpoint protections and limit exposure to script-based attacks. Building on this, eSentire urges firms to implement robust email filtering, restrict PowerShell execution, and monitor for unusual network traffic. Endpoint security best practices can help mitigate these risks.

Furthermore, regular security awareness training is critical. Employees should be cautious of suspicious downloads and links, as initial access often relies on social engineering. Cyber threat intelligence tips can provide additional guidance on staying ahead of emerging malware.

As the finance sector remains a prime target, proactive defense measures are essential. Ransomware prevention strategies also apply to trojans like STX RAT, emphasizing the need for layered security.