Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Steaelite

Steaelite is a commercially marketed Windows remote access trojan (RAT) first observed/advertised on underground cybercrime forums in November 2025, promoted as the “best Windows RAT” with claimed “fully undetectable” (FUD) capabilities. It is positioned as an “all-in-one” platform for double-extortion by combining automated data/credential theft and ransomware deployment within a single, browser-based operator control panel.

Behavior and capabilities described include immediate automated harvesting upon initial victim connection (before operator interaction), specifically browser-stored passwords, session cookies, and application tokens. The web dashboard exposes modules for remote code execution (including a browser-based live command prompt), file management (directory traversal and one-click download), process management, clipboard monitoring, password recovery, installed program enumeration, location tracking, URL opening/arbitrary file execution, and DDoS. Surveillance features include live screen streaming plus webcam and microphone access. Additional tooling includes VB.NET payload compilation, persistence installation, Windows Defender disabling/exclusion management, hidden RDP, keylogging, client-to-victim chat, file searching, USB spreading, UAC bypass, wallpaper modification/message box delivery, and a “bot-killing” feature to remove competing malware. It also includes a cryptocurrency clipboard “clipper” that monitors for wallet addresses and replaces them with attacker-controlled addresses prior to paste completion.

Targeting/coverage: advertised as compatible with Windows 10 and Windows 11; an Android module (described as an Android ransomware module) is reportedly “in development.”

Marketing/distribution notes: BlackFog reported repeated forum thread “bumps” and a YouTube promotional video demonstrating capabilities.

Indicators of compromise explicitly listed in the content: C2 domain 1e81ea2a059f.ngrok-free.app (paths /dashboard.html and /victim.html) and a SHA-256 value b2a8d97da2a653de75d3d1be5839 (as provided).

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

19 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1091Replication Through Removable MediaEvidence2

"...USB spreading..."

Execution

1 technique
T1204.002Malicious FileEvidence1

Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT).

Privilege Escalation

1 technique
T1548.002Bypass User Account ControlEvidence3

"Combined with a UAC bypass module, operators can execute commands at administrator-level privilege without triggering standard access warnings."

Credential Access

5 techniques
T1056Input CaptureEvidence1

"...a third 'developer tools' panel adds keylogging..."

T1056.001KeyloggingEvidence1

The panel also incorporates ... keylogging

T1056.004Credential API HookingEvidence1

"clipboard monitoring" and "It silently monitors the victim’s clipboard"

T1539Steal Web Session CookieEvidence1

"...automatically harvests ... session cookies..."

T1555Credentials from Password StoresEvidence1

Steaelite RAT supports ... password theft ... harvest credentials

Lateral Movement

2 techniques
T1021.001Remote Desktop ProtocolEvidence2

"The advanced tools section further exposes ransomware deployment, hidden RDP..."

T1091Replication Through Removable MediaEvidence2

"...USB spreading..."

Collection

7 techniques
T1056Input CaptureEvidence1

"...a third 'developer tools' panel adds keylogging..."

T1056.001KeyloggingEvidence1

The panel also incorporates ... keylogging

T1056.004Credential API HookingEvidence1

"clipboard monitoring" and "It silently monitors the victim’s clipboard"

T1113Screen CaptureEvidence1

"stabilized Hidden Virtual Network Computing (HVNC) monitoring" and "live screen streaming"

T1115Clipboard DataEvidence2

clipper functionality ... clipboard monitoring

T1123Audio CaptureEvidence1

"...webcam and microphone access..."

T1125Video CaptureEvidence2

"webcam and microphone access"

Command and Control

2 techniques
T1105Ingress Tool TransferEvidence1

allowing it to exfiltrate data and deploy additional payloads.

T1572Protocol TunnelingEvidence1

"C2 1e81ea2a059f.ngrok-free.app"

Impact

3 techniques
T1486Data Encrypted for ImpactEvidence3

"advanced tools section further exposes ransomware deployment" and "data theft and ransomware deployment"

T1498Network Denial of ServiceEvidence1

"DDoS modules"

T1657Financial TheftEvidence1

"...double extortion attacks ... first steal data, then encrypt victims' systems, and threaten to leak the stolen files..."

Other

1 technique
T1562.001Disable or Modify ToolsEvidence3

"...Windows Defender disabling and exclusion management..."

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
the hacker newsNews
Feb 27, 2026
Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms

Windows remote access trojan sold on criminal forums that provides browser-based control of infected hosts and bundles data theft plus ransomware deployment capabilities in a single web panel; supports functions like keylogging, credential theft, surveillance (webcam/mic/live streaming), file exfiltration, UAC bypass, USB spreading, and Defender tampering/exclusions.

Read more
register securityNews
Feb 27, 2026
Double whammy: Steaelite RAT bundles data theft, ransomware • The Register

Commercially sold Windows remote access trojan with an in-browser operator dashboard that performs automated credential/token/cookie theft on initial connection and provides extensive remote administration and surveillance features (RCE, file/process management, live streaming, webcam/mic, keylogging, clipboard monitoring). It also includes “advanced tools” for ransomware deployment to enable double-extortion (steal then encrypt) and additional capabilities such as hidden RDP, Defender tampering, persistence, USB spreading, UAC bypass, and a crypto-clipper to swap wallet addresses during copy/paste.

Read more
cyber security newsNews
Feb 26, 2026
Steaelite RAT Fuels New Wave of Double Extortion Threats Targeting Enterprises

Steaelite is a Windows-focused remote access trojan sold on underground forums that provides a browser-based operator panel to automate credential and token theft (passwords, cookies, app tokens) and enable full remote control (RCE, screen streaming/HVNC, webcam/mic, file/process/clipboard control). It also includes modules for persistence, UAC bypass, Windows Defender disabling, DDoS, a cryptocurrency clipboard clipper, and one-click ransomware deployment; an Android ransomware module is reportedly in development.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping19

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.