Millenium: A RAT Rewritten, A Threat Multiplied
Essential information
- Published
- 25/06/2026 20:43
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- asyncrat millenium rat njrat shinyenigma xworm y2k operators
- Related entities
- 60 indicators, 21 observables, 1 intrusion sets (apt), 21 techniques (mitre), 5 malware
Description
Group-IB analyzes Millenium RAT version 4.*, a remote access trojan that has undergone significant architectural changes from .NET to native C++, while continuing to leverage Telegram Bot API for command and control without requiring dedicated server infrastructure. The malware is distributed as Malware-as-a-Service by developer 'ShinyEnigma' for $50-90 USD. Active exploitation campaigns are conducted by threat actor cluster 'Y2K Operators' using social engineering tactics including fraudulent utilities, hacking toolkits, software cracks, gaming lures, and trojanized cybercrime tools. The trojan enables exfiltration of sensitive browser and system data, screenshot and audio capture, keylogging, and arbitrary executable downloads. Over 62,000 compromised endpoints across more than 160 countries have been identified, with 39,730 infections occurring in Q1 2026 alone, demonstrating accelerating infection rates.