Group-IB's telemetry counted 62,289 infections of a Telegram-controlled remote access trojan called Millenium RAT, with 39,730 of those compromises occurring in the first quarter of 2026 alone.
The rewrite: from .NET to native C++
Millenium RAT first emerged in 2023 as a .NET program. According to Group-IB’s new analysis, the malware’s latest iteration — identified as version four — has been rewritten as a native C++ application and no longer depends on the .NET framework. The new build links against libcurl to communicate with Telegram. Group-IB says this architectural change “helps it evade weaker detection tools,” a direct result of removing a conspicuous runtime dependency and compiling to native code.
Command-and-control over the Telegram Bot API
Rather than operating its own command servers, Millenium RAT instructs infected hosts through the Telegram Bot API. Group-IB highlights the operational advantage: routing commands through a legitimate, widely used messaging service lets the malware “hide its traffic among normal network activity.” The trojan uses libcurl calls to reach Telegram and receives operator instructions through that channel.
Capabilities, privilege escalation, and persistence
As a full remote access trojan, Millenium RAT can steal browser data, log keystrokes, capture screenshots and record audio. It can also download and execute additional files; Group-IB observed that some commands are capable of encrypting files or triggering a blue screen. The firm noted the malware uses no software exploits — it relies on standard Windows functions and attempts to gain elevated rights by displaying a standard User Account Control (UAC) prompt and awaiting user approval. Once installed, the malware commonly masquerades as a Windows system file before exfiltrating data.
Distribution model, pricing, and the Y2K Operators
Millenium RAT is sold as a cheap malware-as-a-service (MaaS). Group-IB linked sales activity to a developer using the name ShinyEnigma, who markets the tool on underground forums, on GitHub and through a dedicated website. The advertised pricing is $50 for the first month, $10 per month thereafter, or $90 for lifetime access. Group-IB attributes the campaigns deploying Millenium RAT to a cluster it tracks as the Y2K Operators; that cluster’s operations account for the 62,289 infections across more than 160 countries that Group-IB observed.
Distribution tactics and operational tradecraft
Group-IB observed the Y2K Operators leaning heavily on social engineering. The attackers spread Millenium RAT through booby-trapped downloads disguised as game cheats, cracked software and hacking tools. In one documented tactic, operators backdoored popular criminal tools such as AsyncRAT and XWorm, effectively turning tools used by other attackers into delivery mechanisms so that “other attackers infect themselves.” The combination of low price and social-engineering lures, Group-IB warns, places a capable trojan within reach of low-skilled attackers.
What this means for technologists, end users, and criminal tool developers
- Technologists and security teams: Group-IB’s findings signal a shift in detection challenges — native C++ builds that traffic through legitimate messaging APIs can be harder to spot with tools tuned to .NET indicators. Teams will need to watch for unusual Telegram API communications and be cautious about trusting toolchains that have shifted to native compilations.
- End users and administrators: The malware’s lack of exploits and reliance on a UAC prompt means the firm’s clear advice applies: be wary of unexpected elevation prompts and avoid running files from untrusted sources. Booby-trapped downloads disguised as game cheats and cracked software were a primary infection vector.
- Criminal tool developers and operators: The Y2K Operators’ tactic of backdooring widely used illicit tools demonstrates a self-propagating distribution strategy; developers and users of such tools are at risk of inadvertent self-infection when grabbing compromised builds.
Group-IB expects the Millenium RAT codebase to continue evolving, with new features and anti-forensic techniques likely to appear in future versions. The combination of a cheap subscription model, Telegram-based command infrastructure and a native rewrite means defenders face a low-cost, widely distributed trojan that can hide its traffic in legitimate messaging flows — and that the next iteration may be harder to detect still.
