A remote access trojan (RAT) known as Steaelite combines credential theft, ransomware, distributed denial-of-service (DDoS) attacks and more into a single web panel, Black Fog revealed in a report Tuesday.The RAT, which has been advertised on cybercrime forums since November 2025, targets machines running Windows 10 and 11 with full remote desktop control including live streaming of webcam and microphone feeds.The malware-as-a-service (MaaS) immediately begins stealing passwords and cookies stored in browsers as soon as a new victim connects, with screenshots showing data “dump” notifications made through a Discord bot integration.The all-in-one panel, accessible via browser, provides various modules for victim management and post-exploitation activity. For example, a remote code execution (RCE) module allows users to deploy commands with the click of a button and receive the output in their browser. The file manager module allows the attacker to freely browse and download files from the victim’s directories through the web panel.
Related reading:
Black Fog also noted two additional panel sections titled “Developer Tools” and “Advanced Tools.” The Developer Tools section includes modules such as a keylogger, User Account Control (UAC) bypass tool, bot killer to remove competing malware, crypto clipper to replace copied crypto wallets with the attacker’s own wallet and message box to display pop dialog boxes for social engineering.The Developer section also includes a client-to-victim chat module, while the Advanced section includes a module for ransomware deployment, enabling Steaelite customers to conduct double extortion attacks via the panel. Other Advanced tools include a hidden Remote Desktop Protocol (RDP) module, Windows Defender management modules and a module for installing additional payloads.Modules for process management, clipboard management, password recovery, VB.NET compilation and launching DDoS attacks are also available through the Steaelite panel. Black Fog noted that a pop up advertising an upcoming Android ransomware tool appears upon logging in to the dashboard, demonstrating the MaaS’ continued development and addition of new features.Steaelite’s Telegram channel has more than 900 members and forum listings for the MaaS have received 87 replies, according to Black Fog, indicating significant interest in the service among cybercriminals. The researchers warn that tools like Steaelite make it easier for attackers to conduct double extortion attacks without the need to coordinate between initial access brokers, affiliate-based ransomware gangs and separate payloads for access, exfiltration and encryption.“For organizations, the line between data theft and ransomware is disappearing at the tooling level. Stopping ransomware at the point of encryption is too late if the data has already left through the same tool’s exfiltration modules,” Black Fog concludes.
Ransomware, Threat Intelligence, Malware
All-in-one RAT combines credential theft, ransomware, DDoS and more
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds