A cheap, rentable remote access trojan called Millenium RAT has quietly grown into a global spying tool, infecting more than 62,000 Windows computers across over 160 countries, according to new research from Group-IB. Nearly two-thirds of those infections, almost 40,000, landed in the first three months of 2026 alone, a sign the campaign is accelerating fast.
A remote access trojan, or RAT, is malware that gives an attacker hands-on control of a victim's machine. Millenium RAT can steal saved browser passwords and system data, log keystrokes, capture screenshots and audio, and download and run additional programs, handing its operators a near-complete view of everything a victim does.
Malware for the price of a streaming subscription
What makes Millenium dangerous is less its features than its business model. Group-IB reports that the developer, who goes by the handle "ShinyEnigma", sells it as Malware-as-a-Service for $50 for the first month, $10 a month after that, or a one-time $90 lifetime license. That pricing puts a capable spying tool within reach of low-skilled criminals, which helps explain how widely it has spread.
The malware has been advertised openly on underground forums such as Dread, and brazenly on legitimate developer platforms including GitHub, GitLab, and Gitea, though those repositories have since been taken down. Group-IB notes the original commit messages were written in Russian. The active infection campaigns are run by a criminal cluster the firm tracks as the Y2K Operators.
How it works
Version 4 of Millenium marks a technical step up. Earlier builds were written in .NET, but the new version is rewritten in native C++, removing the dependency on the .NET runtime and relying entirely on standard Windows programming interfaces, which can make it harder to spot. For command and control it skips dedicated servers entirely, instead using the Telegram bot API to receive orders and send back stolen data. Its configuration is hidden inside the program, scrambled with Base64 plus a custom XOR routine and padded with junk data so that each copy carries a different file fingerprint to frustrate simple signature-based detection.
Telegram-based control has become a common thread among modern commodity malware, from state-linked operators abusing Telegram bots for command and control to subscription kits like the Mirax Bot banking trojan sold on underground forums. Millenium is the latest example of how cheaply this capability is now packaged and resold, echoing other rented RAT operations we have tracked.
What you should do
Because Millenium spreads mainly through social engineering, treat unexpected downloads and "cracked" software with suspicion, and be wary of developer projects promising free tools. Network defenders should watch for unexpected outbound connections to the Telegram bot API from machines that have no business using it, and block the indicators below.
Indicators of compromise
- Distribution site: hxxps://milleniumrat[.]online
- Payload URL: hxxps://75877[.]mcdir[.]me/files/2[.]vbs
- IPv4: 4[.]5[.]7[.]55
Group-IB's Threat Intelligence team published the full technical breakdown in the original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.