Millenium: A RAT Rewritten, a Threat Multiplied

    Date: 07/07/2026

    Severity: High

    Summary

    Millenium RAT v4 is a C++-based Remote Access Trojan (RAT) offered as a Malware-as-a-Service (MaaS) by the developer ShinyEnigma and actively deployed by the Y2K Operators threat cluster. The malware uses the Telegram Bot API for command-and-control, eliminating the need for dedicated C2 servers, and enables credential theft, keylogging, screenshot and audio capture, arbitrary code execution, and system compromise. Researchers identified over 62,000 infected endpoints across more than 160 countries, with infections accelerating sharply in Q1 2026, highlighting the malware's rapidly expanding global impact. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    http://158.94.208.168/files/8514679081/DRTjyu7.exe

    https://www.thesnapchatmodapk.com/update1.exe

    https://modedapk.net/update1.exe

    https://75877.mcdir.me/files/doc1.exe

    http://kuttabilla.top/mr.exe

    http://62.60.226.97:5553/voshod.exe

    http://130.12.180.43/files/7924412375/upOSLDn.exe

    https://blackhatusa.com/setup.exe

    https://blackhatusa.com/clip.exe

    http://blackhatusa.com/mr.exe

    https://blackhatusa.com/update.exe

    Hash

    1d699a46339626db299548e32ed3a77eec267840c3de39b49caf38b88aeb150d

    2267d05dbd5e30c6dfcdde25731280dd755e689faa684bd21cfbef5281fd3e86

    12b41c07299d2535f7cdc194d97496acd944a9eb5d94b8d24b19291ed9d0830c

    1d52ded1f3838a1eee849ae20b2fee6c84b183cc98abe7244365b9f34b925eea

    4e035575be8fe350a9e36cf29dbbc8826af2f772672bd08c9e489a243cb90e31

    1c01ab1b59245f24ebdc5d9c414fcf4e2ce31f71f181522efc5a3d27476c8e21

    e4496565d9fd2f9425c10a98d3a8632c12af5fe4259484cb202d7f65532b7df2

    ad0f892b7b99b68491ade4949ef6b575e64d9df5f84a53019b5c1e4eeb4c46a9

    ad74f502cc37e815482df49f118b2f678daf1a3f522daf07a2abeb32c2ed3831

    2d8e5a2763f9a899fda44390d5b8495836c11fb266a61868d52d1f397c5243ee

    cc47209d2e4d5a9b2b1d71622b0ad7f73e9c4aa56edd9aaf1e29265650c30f16

    85816d89dac648645a9026973772815e956c267232b3d2577a06a43418f19ed3

    92710bdb44279dbe8ccff34ba698d1558fa6d271c99ed4960ccbfb6d518d9418

    a8acc24bb3e6a1a3b66a31ceaefda07d4a0e17415468683458b499f2ba240450

    d55ce447e249ef9045750865fa196c8ca8434c8c484f861b7bdecbceeab7c16e

    a97f15d7bfad02a600eba426c3ef72be34e944a7c8364a975c53866735f7aa4e

    fc41c336b79cbc6559a17d716b84101dbef1adc5357b643a75111af442719611

    5a23ca644cb1f310be1abd5f6c6a3b3e15681ced99b0947a7f3465a79aae5089

    3e17ce0b30b9fd6863b341ae58ee118dc13f2ee7f1c92ac4b81c04d54480d0e0

    7d8b6a64f7b65b281e7b5568929c6f96c62bbae9628162aabe7d8140a86d3de8

    307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1

    8bef879c6920cdce7c01b8dbb7da24dca23b8822a7aa00dfc72cb32f55879a24

    19e0070e5009bd5b376b9be997361d0773dcb004200ee8fafe6c14b96cbd93e4

    88f9e169a85dcf6a1c03bf3ca1b1a262ed32baeca46cb87f0324adfdc098d4a2

    5562246e38f8935ba8b07350e6aaa44bc22abf37b77f49836fde5999f4b61cf1

    de3842bbb6626912d5b9b01fb775e1843004edb5855d4e627fd74b88bc7fe33b

    ccca11a6d5835999c40a0a5264084b3740633600c157754fad2ef59559e31736

    8f8a71352d2f18162f2f74090dc6f0cae6b37029e3244e6522825ade75163055

    57edeb575862ce8d3bff2eb4d32d9e3fa1ffb7cb8f818e2e7fc6d25a506faea6

    2d5615acd1b0666995fd124fb72f2713c6609b5368350340288b52fecbdd016d

    848036661c71b80ee41566918faa5eae3bf4f03ae807bb4af42cb483b6c141e2

    aa2ccd18a7a09f66ca5c1bbd927f7fe411bd3874df77b0eaf40738dab7566606

    a4b34b94a905fe330b0a3e4502aa45356e383a8f45ff1d008b785ea0ec14acaf

    a911fe0259772906447d7e80a902ea954f3530edd9ea7d0427b6380707a8e681

    7a370a9262d37de6a24706f92ff0cdded7202281a6ff3bf313721756226ebff9

    66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8

    512adab2c69feaf026adfb12cbd7d2eb4fee746120491e44f476eebddcbb19f2

    8419b1f0acca46d45f4c54c315c8cc4784946e07d547fe55187b928fa6c6b8f5

    4991873515d6dea70d7769cf67ccd8ea69184e5e454a6e6d1e093b6a3c48eb47

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://www.thesnapchatmodapk.com/update1.exe" or url like "https://www.thesnapchatmodapk.com/update1.exe" or siteurl like "https://www.thesnapchatmodapk.com/update1.exe" or domainname like "http://62.60.226.97:5553/voshod.exe" or url like "http://62.60.226.97:5553/voshod.exe" or siteurl like "http://62.60.226.97:5553/voshod.exe" or domainname like "https://75877.mcdir.me/files/doc1.exe" or url like "https://75877.mcdir.me/files/doc1.exe" or siteurl like "https://75877.mcdir.me/files/doc1.exe" or domainname like "http://blackhatusa.com/mr.exe" or url like "http://blackhatusa.com/mr.exe" or siteurl like "http://blackhatusa.com/mr.exe" or domainname like "http://kuttabilla.top/mr.exe" or url like "http://kuttabilla.top/mr.exe" or siteurl like "http://kuttabilla.top/mr.exe" or domainname like "https://blackhatusa.com/clip.exe" or url like "https://blackhatusa.com/clip.exe" or siteurl like "https://blackhatusa.com/clip.exe" or domainname like "http://158.94.208.168/files/8514679081/DRTjyu7.exe" or url like "http://158.94.208.168/files/8514679081/DRTjyu7.exe" or siteurl like "http://158.94.208.168/files/8514679081/DRTjyu7.exe" or domainname like "https://modedapk.net/update1.exe" or url like "https://modedapk.net/update1.exe" or siteurl like "https://modedapk.net/update1.exe" or domainname like "https://blackhatusa.com/update.exe" or url like "https://blackhatusa.com/update.exe" or siteurl like "https://blackhatusa.com/update.exe" or domainname like "https://blackhatusa.com/setup.exe" or url like "https://blackhatusa.com/setup.exe" or siteurl like "https://blackhatusa.com/setup.exe" or domainname like "http://130.12.180.43/files/7924412375/upOSLDn.exe" or url like "http://130.12.180.43/files/7924412375/upOSLDn.exe" or siteurl like "http://130.12.180.43/files/7924412375/upOSLDn.exe"

    Detection Query 2 :

    sha256hash IN ("2d8e5a2763f9a899fda44390d5b8495836c11fb266a61868d52d1f397c5243ee","4991873515d6dea70d7769cf67ccd8ea69184e5e454a6e6d1e093b6a3c48eb47","a8acc24bb3e6a1a3b66a31ceaefda07d4a0e17415468683458b499f2ba240450","88f9e169a85dcf6a1c03bf3ca1b1a262ed32baeca46cb87f0324adfdc098d4a2","a97f15d7bfad02a600eba426c3ef72be34e944a7c8364a975c53866735f7aa4e","3e17ce0b30b9fd6863b341ae58ee118dc13f2ee7f1c92ac4b81c04d54480d0e0","512adab2c69feaf026adfb12cbd7d2eb4fee746120491e44f476eebddcbb19f2","66bf111030a2e22db575c0b7b7b677208745eef8b44265bb4259f41f126f1bf8","8bef879c6920cdce7c01b8dbb7da24dca23b8822a7aa00dfc72cb32f55879a24","1d52ded1f3838a1eee849ae20b2fee6c84b183cc98abe7244365b9f34b925eea","cc47209d2e4d5a9b2b1d71622b0ad7f73e9c4aa56edd9aaf1e29265650c30f16","d55ce447e249ef9045750865fa196c8ca8434c8c484f861b7bdecbceeab7c16e","307964ed02f34bff4e40c5402cc936be07fd9957ef400596a4b3e2cd98c50ec1","8419b1f0acca46d45f4c54c315c8cc4784946e07d547fe55187b928fa6c6b8f5","8f8a71352d2f18162f2f74090dc6f0cae6b37029e3244e6522825ade75163055","92710bdb44279dbe8ccff34ba698d1558fa6d271c99ed4960ccbfb6d518d9418","fc41c336b79cbc6559a17d716b84101dbef1adc5357b643a75111af442719611","57edeb575862ce8d3bff2eb4d32d9e3fa1ffb7cb8f818e2e7fc6d25a506faea6","e4496565d9fd2f9425c10a98d3a8632c12af5fe4259484cb202d7f65532b7df2","7d8b6a64f7b65b281e7b5568929c6f96c62bbae9628162aabe7d8140a86d3de8","ad74f502cc37e815482df49f118b2f678daf1a3f522daf07a2abeb32c2ed3831","5562246e38f8935ba8b07350e6aaa44bc22abf37b77f49836fde5999f4b61cf1","a911fe0259772906447d7e80a902ea954f3530edd9ea7d0427b6380707a8e681","85816d89dac648645a9026973772815e956c267232b3d2577a06a43418f19ed3","2267d05dbd5e30c6dfcdde25731280dd755e689faa684bd21cfbef5281fd3e86","de3842bbb6626912d5b9b01fb775e1843004edb5855d4e627fd74b88bc7fe33b","aa2ccd18a7a09f66ca5c1bbd927f7fe411bd3874df77b0eaf40738dab7566606","ccca11a6d5835999c40a0a5264084b3740633600c157754fad2ef59559e31736","ad0f892b7b99b68491ade4949ef6b575e64d9df5f84a53019b5c1e4eeb4c46a9","5a23ca644cb1f310be1abd5f6c6a3b3e15681ced99b0947a7f3465a79aae5089","4e035575be8fe350a9e36cf29dbbc8826af2f772672bd08c9e489a243cb90e31","7a370a9262d37de6a24706f92ff0cdded7202281a6ff3bf313721756226ebff9","a4b34b94a905fe330b0a3e4502aa45356e383a8f45ff1d008b785ea0ec14acaf","12b41c07299d2535f7cdc194d97496acd944a9eb5d94b8d24b19291ed9d0830c","1d699a46339626db299548e32ed3a77eec267840c3de39b49caf38b88aeb150d","1c01ab1b59245f24ebdc5d9c414fcf4e2ce31f71f181522efc5a3d27476c8e21","19e0070e5009bd5b376b9be997361d0773dcb004200ee8fafe6c14b96cbd93e4","848036661c71b80ee41566918faa5eae3bf4f03ae807bb4af42cb483b6c141e2","2d5615acd1b0666995fd124fb72f2713c6609b5368350340288b52fecbdd016d")

    Reference:    

    https://www.group-ib.com/blog/millenium-rat-maas/#introduction              


    Tags

    MalwareRATMaaSTelegramCredential HarvestingKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags