Monday 06 July 2026 01:32:02 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Malware & Botnets

Millenium RAT Hides Its Tracks in a Native C++ Build and Telegram-Borne C2

Published: 29 June 2026 10:52Category: Malware & BotnetsAuthor: IRONQUERY

The malware’s latest variant pairs resource-embedded settings with Base64 and XOR obfuscation, making its control plane harder to spot without deeper binary triage.

Millenium RAT version 4.* is a reminder that modern malware does not need flashy tricks to become harder to analyze. By moving from .NET to native C++, embedding its configuration in a Windows RCDATA resource, and masking Telegram-related settings with Base64 plus XOR, the build trims away many of the shortcuts defenders normally use during first-pass inspection.

The practical shift is subtle but important: instead of leaving obvious managed-code artifacts behind, the sample now looks more like a conventional native Windows binary. That changes the reverse-engineering workflow and pushes analysts toward resource extraction, decoding, and runtime tracing before the real command-and-control details become visible.

Fast Facts

  • Millenium RAT version 4.* has been rebuilt from .NET into native C++.
  • Its configuration is stored inside an RCDATA resource, not left in plaintext strings.
  • The Telegram-related settings are concealed with Base64 encoding and XOR obfuscation.
  • The control channel is Telegram-based, which reduces the need for attacker-owned infrastructure.
  • At least part of the analysis is tied to a sample set and telemetry reviewed by Group-IB.

Why the build matters

.NET malware often gives defenders a useful head start because managed binaries carry CLR metadata and can expose names, strings, and structure that are easier to harvest. Native C++ removes much of that convenience. The result is not magic stealth, but a cleaner path for the operator to hide in a more traditional executable format.

The RCDATA choice is just as telling. Windows executables can store arbitrary binary blobs there, which means a configuration file can sit inside the binary without looking like a configuration file. Once the blob is found, Base64 decoding followed by XOR reversal becomes the next step. That is not strong cryptography, but it is enough to slow down casual static analysis and force defenders to reconstruct the unpacking chain.

Telegram-based C2 adds another layer of operational convenience. A public service can serve as the traffic destination, which means investigators may have to correlate process behavior, API-like request patterns, and embedded tokens or identifiers rather than chase a bespoke domain name. From a defensive perspective, that moves the problem from simple network blocklists to endpoint and content inspection.

At the time of writing, the full scope of affected samples and the exact configuration fields present in every build are not fully established. The available information supports a risk analysis, not a blanket claim about all variants or their full operational reach.

What defenders should take from it

This is a good case study in how small engineering choices can reshape detection. A native rebuild reduces managed-runtime visibility. An embedded resource hides the config from quick string hunts. Base64 plus XOR adds a decode chain that many automated triage systems will miss unless they are built to inspect resources and normalize obfuscation layers.

For hunters, the most useful pivot is not the malware family name alone, but the combination of file type, resource layout, and Telegram-related behavior. In practice, that means prioritizing PE resource extraction, watching for unusual native binaries that touch Telegram services, and validating any recovered identifiers against the sample before drawing conclusions.

Conclusion

Millenium RAT’s latest build does not reinvent malware, but it does show how attackers can steadily remove the easy clues. The broader lesson is simple: when control is pushed into legitimate services and config is buried inside the binary itself, defenders need to think less like string-searchers and more like binary analysts.

WIKICROOK

  • RAT: Remote Access Trojan, malware designed to let an operator control an infected system.
  • RCDATA: A Windows resource type used to store arbitrary binary data inside an executable.
  • Base64: A reversible encoding scheme commonly used to represent binary data as text.
  • XOR obfuscation: A reversible masking method often used to hide data rather than truly encrypt it.
  • Telegram Bot API: A documented interface that bots can use to send and receive messages through Telegram.