Fake Xeno and Roblox gaming tools are spreading a Windows RAT (remote access trojan) using PowerShell and LOLBins, Microsoft Threat Intelligence warns.

Cybersecurity researchers at Microsoft Threat Intelligence have found that attackers are circulating fake gaming tools that install a remote access trojan (RAT) when users run the files. The campaign relies on trojanized executables distributed through browsers and chat platforms, convincing victims to download software such as Xeno.exe or RobloxPlayerBeta.exe, which appear legitimate at first glance.

According to the researchers, the initial file acts as a downloader that prepares the system for the next stage of the attack. It installs a portable Java runtime and launches a malicious Java archive named jd-gui.jar, which continues the infection process.

Instead of relying on obvious malware components, the attackers rely on built-in Windows tools. The downloader runs commands through PowerShell and abuses legitimate system binaries such as cmstp.exe.

These trusted executables, often referred to as living-off-the-land binaries (LOLBins), allow attackers to run malicious actions through software already present on Windows ...