Microsoft and BlackFog: Double whammy: Steaelite RAT bundles data theft, ransomware

New "Steaelite" RAT Emerges as a Potent Threat for Double Extortion Attacks

In November 2025, cybersecurity researchers at BlackFog uncovered Steaelite, a sophisticated remote access trojan (RAT) being sold on cybercrime forums. Marketed as "fully undetectable" and the "best Windows RAT," the malware targets Windows 10 and 11 systems, with an Android module reportedly in development.

Steaelite operates via a browser-based dashboard, automating data theft the moment a victim connects even before an attacker interacts with the system. It harvests browser-stored passwords, session cookies, and application tokens immediately upon infection. The tool’s interface includes three main sections:

Primary Toolbar: Enables remote code execution, file management, live surveillance (webcam/microphone access), process manipulation, clipboard monitoring, password recovery, and DDoS attacks, among other functions.
Advanced Tools: Provides ransomware deployment, hidden RDP access, Windows Defender disabling, and persistence mechanisms.
Developer Tools: Adds keylogging, client-to-victim chat, USB spreading, cryptocurrency wallet hijacking (via clipboard manipulation), and tools to remove competing malware.

A standout feature is its clipper module, which silently replaces cryptocurrency wallet addresses in the clipboard with attacker-controlled ones, enabling theft without the victim’s knowledge. The malware also streamlines double extortion attacks by combining data theft and ransomware deployment in a single interface eliminating the need for separate tools or coordination between cybercriminal groups.

Steaelite’s active promotion across forums (with 87 messages at the time of reporting) and a YouTube demonstration video suggests aggressive marketing to expand its buyer base. Once the Android version launches, a single license could compromise both corporate Windows machines and employee mobile devices, amplifying its threat potential. The tool’s automation and integrated capabilities lower the barrier for attackers, making it a significant risk for organizations.

Source: https://www.theregister.com/2026/02/27/double_extortion_whammy_steaelite_rat/

Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence

BlackFog cybersecurity rating report: https://www.rankiteo.com/company/blackfog

"id": "MICBLA1772238300",
"linkid": "microsoft-threat-intelligence, blackfog",
"type": "Ransomware",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'attack_vector': 'Browser-based dashboard, phishing, or malicious downloads',
 'data_breach': {'data_exfiltration': 'Yes',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Browser-stored passwords',
                                              'Session cookies',
                                              'Application tokens',
                                              'Cryptocurrency wallet '
                                              'addresses']},
 'date_detected': '2025-11',
 'date_publicly_disclosed': '2025-11',
 'description': 'Cybersecurity researchers at BlackFog uncovered Steaelite, a '
                'sophisticated remote access trojan (RAT) being sold on '
                "cybercrime forums. Marketed as 'fully undetectable' and the "
                "'best Windows RAT,' the malware targets Windows 10 and 11 "
                'systems, with an Android module in development. Steaelite '
                'automates data theft upon infection, harvesting '
                'browser-stored passwords, session cookies, and application '
                'tokens. It includes features for remote code execution, '
                'ransomware deployment, hidden RDP access, cryptocurrency '
                'wallet hijacking, and double extortion attacks.',
 'impact': {'data_compromised': 'Browser-stored passwords, session cookies, '
                                'application tokens, cryptocurrency wallet '
                                'addresses',
            'identity_theft_risk': 'High (PII and credentials compromised)',
            'operational_impact': 'Potential unauthorized access, data '
                                  'exfiltration, ransomware deployment',
            'payment_information_risk': 'High (cryptocurrency wallet '
                                        'hijacking)',
            'systems_affected': 'Windows 10, Windows 11 (Android module in '
                                'development)'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain, data theft, ransomware deployment',
 'ransomware': {'data_encryption': 'Yes (via ransomware module)',
                'data_exfiltration': 'Yes',
                'ransomware_strain': 'Steaelite (integrated ransomware '
                                     'module)'},
 'recommendations': 'Organizations should enhance monitoring for RAT '
                    'infections, implement multi-factor authentication, '
                    'educate employees on phishing risks, and deploy endpoint '
                    'detection and response (EDR) solutions. Cryptocurrency '
                    'wallet security should be prioritized to prevent '
                    'clipboard hijacking.',
 'references': [{'date_accessed': '2025-11', 'source': 'BlackFog'}],
 'threat_actor': 'Cybercriminals (unknown specific group)',
 'title': 'Emergence of Steaelite RAT for Double Extortion Attacks',
 'type': 'Malware (RAT)'}

Microsoft and BlackFog: Double whammy: Steaelite RAT bundles data theft, ransomware

Tangoe US Inc.: Tangoe Data Breach Class Action Settlement

Ronald Reagan Washington National Airport: What to do after a data breach, according to identity theft experts

DigitalMint and Sygnia Cybersecurity: Chicago cybersecurity firm employee brokered $75M in ransom after orchestrating hacks, feds say