Credential and cryptocurrency theft, live surveillance, ransomware - an attacker's Swiss Army knife

A new remote access trojan (RAT) being sold on cybercrime networks enables double extortion attacks on Windows machines by bundling ransomware and data theft, along with credential and cryptocurrency stealers, live surveillance, and a whole host of other illicit capabilities, all controllable from a centralized dashboard.

BlackFog researchers first spotted the malware, called Steaelite and touted as "fully undetectable" and the "best Windows RAT," in November 2025. It works across Windows 10 and 11, with an Android module reportedly in development.

Steaelite's operator interface runs entirely in the browser, and the RAT starts stealing victims' data even before the criminals open the dashboard. 

"When a new victim connects, Steaelite automatically harvests browser-stored passwords, session cookies, and application tokens before the operator issues any commands," according to the AI-based security shop. "Data theft begins at the moment of connection."

The dashboard includes a primary toolbar plus two additional sections, with ...