Millenium RAT Rewritten in C++ Infects 62,000+ Devices Across 160 Countries

A remote access trojan known as Millenium RAT has been quietly spreading across the globe, and the numbers are hard to ignore. Over 62,000 devices have been compromised across more than 160 countries, with no signs of slowing down.

More than 39,000 of those infections happened in just the first quarter of 2026 alone, pointing to an operation that is actively scaling.

The malware first appeared in a threat report by CYFIRMA in November 2023, initially tracked as version 2.4. Since then, it has gone through a significant transformation.

Threat actors have moved to version 4, which carries a completely rebuilt technical foundation and a broader range of capabilities targeting Windows machines worldwide.

Analysts at Group-IB have attributed the active exploitation to a cluster they call the Y2K Operators. The malware’s developer operates under the handle “shinyenigma” and openly promotes it on underground forums and platforms like GitHub.

Group-IB said in a report shared with Cyber Security News (CSN) that the tool is sold as Malware-as-a-Service at $50 for the first month, $10 for renewals, or $90 for lifetime access.

The malware’s reach is not tied to any one region or industry. Victims range from everyday users to aspiring cybercriminals who unknowingly downloaded trojanised tools.

The Y2K Operators cast a wide net, using lures designed to pull in as many target groups as possible.

The sharp spike in infections during early 2026 suggests the operators are actively scaling up. With new versions still being released and a low-cost model in place, this threat is set to keep growing.

Millenium RAT Rewritten in C++

The most significant change in version 4 is its full rewrite from .NET into native C++. This removes the dependency on .NET on the victim’s machine and makes the malware harder to detect.

It communicates with operators through the Telegram Bot API, disguising command-and-control traffic as normal web activity with no dedicated server required.

Once executed, the RAT loads an encrypted configuration from an embedded file resource. This contains the Telegram bot token, chat ID, persistence settings, and keylogger options.

The data is Base64-encoded and protected with a custom XOR algorithm, with extra random data added to change the file hash and bypass signature-based detection.

The RAT’s capabilities are broad. It can steal browser credentials and cookies, capture screenshots and webcam images, record audio, log keystrokes, pull Telegram and Discord session data, and encrypt the victim’s files.

Operators issue all commands through Telegram without a dedicated server. Persistence is set up by copying the payload into %APPDATA% and adding a registry autorun entry.

The malware also attempts privilege escalation through a standard Windows UAC prompt, counting on the user to approve it. All functionality relies on standard Windows API calls with no zero-day exploits, meaning the operation depends entirely on user trust.

Social Engineering Delivery Tactics Used by Y2K Operators

The Y2K Operators rely entirely on deception to get Millenium RAT onto victim machines. Files are disguised as credit card generators, crypto balance checkers, hacking toolkits, cracked software, and gaming utilities.

Filenames are crafted to push targets into opening them immediately, with lures spread broadly to reach as many victim types as possible.

One tactic is particularly bold. The operators take known RATs and exploit builders, silently embed a backdoor, and redistribute the tampered files.

A would-be attacker downloads what looks like a working tool and gets infected instead. In one campaign, victims received a shortcut disguised as a PDF, which triggered PowerShell silently and fetched a decoy document alongside the RAT payload, opening the document in the foreground as cover.

After infection, the payload blends in using names like svchost.exe, MsEdgeUpdate.exe, and Microsoft Antivirus.exe.

Users are advised to treat unexpected UAC prompts as suspicious, avoid running files from untrusted sources, use a non-administrator account for daily tasks, keep systems patched, and enable multi-factor authentication to limit damage if credentials are captured.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.