A new remote access trojan (RAT) being sold on cybercrime networks enables double extortion attacks on Windows machines by bundling ransomware and data theft, along with credential and cryptocurrency stealers, live surveillance, and a whole host of other illicit capabilities, all controllable from a centralized dashboard.
BlackFog researchers first spotted the malware, called Steaelite and touted as “fully undetectable” and the “best Windows RAT,” in November 2025. It works across Windows 10 and 11, with an Android module reportedly in development.
Steaelite’s operator interface runs entirely in the browser, and the RAT starts stealing victims’ data even before the criminals open the dashboard.
“When a new victim connects, Steaelite automatically harvests browser-stored passwords, session cookies, and application tokens before the operator issues any commands,” according to the AI-based security shop. “Data theft begins at the moment of connection.”
The dashboard includes a primary toolbar plus two additional sections, with the primary toolbar alone including modules for remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password recovery, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation.
If a criminal is seeking more – like locking up victims’ files and extorting them for cryptocurrency – an “advanced tools” panel includes capabilities for ransomware deployment, hidden RDP, Windows Defender disabling and exclusion management, and persistence installation.
Plus, a third “developer tools” panel adds keylogging, client-to-victim chat, file searching, USB spreading, a bot-killing feature that removes competing malware, message box delivery, wallpaper modification, UAC bypass, and a clipper that swaps cryptocurrency wallet addresses during copy-paste operations.
The clipper can silently transfer the victims’ cryptocurrency to the attacker – without the victim ever knowing – by monitoring the clipboard for wallet addresses and replacing them with an attacker-controlled address before the paste completes.
“The listing has been bumped consistently across multiple forum threads with 87 messages at the time of writing, and a promotional video demonstrating the tool’s capabilities has been published on YouTube, a common distribution tactic for commercial remote access trojans looking to reach buyers outside of traditional forum ecosystems,” BlackFog wrote.
In addition to being an all-in-one RAT, this new malware makes it even easier for would-be criminals to pull off double extortion attacks – where the crooks first steal data, then encrypt victims’ systems, and threaten to leak the stolen files if the victim refuses to pay a ransom.
“Previously, double extortion required malware for initial access and exfiltration, then a separate ransomware payload for encryption, often involving coordination between initial access brokers and ransomware affiliates,” BlackFog’s team wrote. “Steaelite puts both in the same interface, and the automated credential harvesting means data theft fires before the operator even interacts with the dashboard.”
Additionally, once the Android version goes live – and assuming it works as planned – a single Steaelite license could cover corporate Windows computers as well as the mobile devices employees use for authentication and messaging, the researchers note. ®
