Steaelite RAT Bundles Ransomware, Credential Theft, and Live Surveillance Into Single Double-Extortion Platform
A new remote access trojan called Steaelite is being sold on cybercrime forums and Telegram that consolidates nearly every offensive capability an attacker needs — credential theft, ransomware deployment, cryptocurrency stealing, live surveillance, and DDoS — into a single browser-based dashboard, effectively eliminating the need for multiple tools or coordination between initial access brokers and ransomware affiliates.
BlackFog researchers first identified the malware in November 2025. It targets Windows 10 and 11, with an Android module reportedly in development that would extend coverage to mobile authentication and messaging devices.
Subscription-Based Crime Tool
Steaelite is sold as a subscription service via Telegram:
- $200/month or $500 for three months
- Promoted across multiple forum threads with 87 messages at time of writing
- A promotional YouTube video demonstrates its capabilities to attract buyers outside traditional underground forums
BlackFog notes that while no specific incidents have been directly attributed to Steaelite operators yet, VirusTotal samples indicate significant activity suggesting real-world deployment. The low barrier to entry and built-in automation mean even inexperienced operators can deploy it effectively out of the box.
Automated Data Theft Before Operator Interaction
The most notable feature is that data theft begins automatically the moment a victim connects — before the operator even opens the dashboard. On connection, Steaelite harvests browser-stored passwords, session cookies, and application tokens without any manual commands.
This means that even if an operator is slow to act or loses access to their dashboard, the initial exfiltration has already completed.
Three-Panel Attack Dashboard
The browser-based operator interface is organized across three capability panels:
Primary toolbar:
- Remote code execution
- File management
- Live screen streaming
- Webcam and microphone access
- Process management
- Clipboard monitoring
- Password recovery
- Installed program enumeration
- Location tracking
- Arbitrary file execution
- URL opening
- DDoS attacks
- VB.NET payload compilation
Advanced tools:
- Ransomware deployment
- Hidden RDP access
- Windows Defender disabling and exclusion management
- Persistence installation
Developer tools:
- Keylogging
- Client-to-victim chat
- File searching
- USB spreading
- Bot-killing (removes competing malware)
- UAC bypass
- Cryptocurrency clipper — silently monitors clipboard for wallet addresses and swaps them with attacker-controlled addresses before paste completes
Double Extortion in a Single License
Steaelite collapses the entire double extortion workflow into one tool. Previously, this attack pattern required separate malware for initial access and exfiltration, a distinct ransomware payload for encryption, and often coordination between initial access brokers and ransomware affiliates.
With Steaelite, a single operator can steal data automatically on connection, deploy ransomware from the same dashboard, and threaten to leak exfiltrated files if the ransom goes unpaid — all without switching tools or involving additional parties.
Android Expansion
The planned Android module would allow a single Steaelite license to cover both corporate Windows machines and the mobile devices employees use for MFA and messaging — potentially giving attackers simultaneous access to workstations and the authentication layer that protects them.
Defender Recommendations
- Monitor for automated credential harvesting — detect rapid bulk access to browser credential stores and cookie databases immediately following new process execution
- Block Telegram-based C2 — restrict outbound connections to Telegram infrastructure from corporate endpoints
- Detect clipboard manipulation — monitor for processes hooking clipboard APIs, particularly those intercepting cryptocurrency wallet address patterns
- Hunt for Defender tampering — alert on programmatic modification of Windows Defender exclusions or disabling of real-time protection
- USB propagation controls — enforce removable media policies to prevent lateral spread via the USB spreading module
- Monitor for competing malware removal — the bot-killing feature that removes other malware can itself be an indicator of Steaelite infection
- Prepare for cross-platform attacks — once the Android module launches, organizations should expect coordinated Windows and mobile compromise from a single threat actor
