Contact
OpenCTI Live Threat Report Feed

New Python RAT Targets Gamers via Minecraft

NetmanageIT OpenCTI - opencti.netmanageit.com

Daniel Bender

3 min read
New Python RAT Targets Gamers via Minecraft



SUMMARY :

A new multi-function Python RAT has been discovered targeting gamers through Minecraft. The malware, posing as a legitimate Minecraft client called 'Nursultan Client', uses the Telegram Bot API for command and control. It has capabilities including screenshot capture, webcam access, Discord token theft, and URL opening on victim machines. The malware attempts to persist on Windows systems but has flaws in its implementation. It specifically targets Discord authentication tokens and performs system reconnaissance. The use of Telegram for C2 and the focus on gamers suggests a Malware-as-a-Service model, with the author likely selling customized versions to other threat actors.

OPENCTI LABELS :

rat,telegram,python,gaming,discord,minecraft,surveillance,token theft,nursultan client


AI COMMENTARY :

1. In recent weeks security researchers have uncovered a new Python-based remote access trojan that specifically targets the gaming community by masquerading as a legitimate Minecraft modification known as the Nursultan Client. This multi-function RAT leverages the popularity of Minecraft to lure unsuspecting users into installing what appears to be a harmless gaming client. Once in place, the malware turns the victims system into a surveillance platform designed to harvest sensitive data and grant remote access to threat actors.

2. The initial infection vector relies on social engineering within gaming circles. Attackers distribute the Nursultan Client through unofficial Minecraft forums and file-sharing repositories. Gamers seeking new features or enhanced performance are tricked into downloading a binary that seamlessly integrates into their Minecraft launcher. Under the hood, the installer loads a Python runtime environment bundled with malicious scripts. Upon execution, the malware establishes persistence on Windows machines by creating startup entries, though these routines exhibit implementation flaws that researchers have flagged as points of potential remediation.

3. For command and control the RAT employs the Telegram Bot API, granting operators the ability to issue real-time instructions through Telegram messages. This channel benefits from the platforms encryption and global availability. In addition to sending commands the Telegram-based C2 framework enables automatic status reports from infected hosts. The usage of a familiar messaging service rather than a custom server makes detection more challenging for defenders monitoring traditional network traffic.

4. Once active the malware offers a suite of capabilities that underscore its focus on gaming and communications platforms. It can capture screenshots of gameplay sessions or desktop activity and record webcam feeds to spy on victims. The RAT specifically hunts for Discord authentication tokens stored locally, exfiltrating them to provide attackers with direct access to gamers communication channels and servers. Additional functionality allows remote execution of arbitrary URLs on the victim machine for further payload delivery or phishing campaigns.

5. Although the RAT attempts to maintain persistence by editing registry keys and deploying scheduled tasks, its implementation contains critical logic errors that sometimes prevent the malware from restarting after a system reboot. These flaws represent both a weakness for the attackers and an opportunity for incident responders to disrupt the threat. The combination of Python code and Telegram-based C2 suggests a Malware-as-a-Service model, with the original author likely customizing variants for sale or lease to other threat actors interested in surveillance, token theft, or distributed campaigns against gamers.

6. Defenders can mitigate this threat by educating gaming communities about the dangers of downloading unofficial clients, implementing application allowlisting for known Minecraft launchers, and monitoring network traffic for unusual connections to Telegram Bot APIs. Regular scans for Python interpreters installed in nonstandard locations and inspection of registry Run entries can help identify persistence attempts. By combining user awareness with technical controls organizations and individual gamers alike can reduce the risk posed by this emerging RAT threat.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New Python RAT Targets Gamers via Minecraft