Millennium RAT Rewritten in C++, Infects 62,000 Devices in 160 Countries
Group-IB tracks Y2K Operators distributing upgraded Millennium RAT through game cheats and cracked software. Telegram serves as C2 channel.
Group-IB researchers have documented a major upgrade to Millennium RAT, with version 4 rewritten entirely in C++ and distributed through a malware-as-a-service model for as little as $50 per month. The threat actor cluster tracked as Y2K Operators has infected 62,289 devices across 160 countries, with 39,730 infections occurring in Q1 2026 alone.
The rewrite drops the .NET framework dependency that made earlier versions easier to detect. Native C++ compilation, combined with libcurl for network communications, helps the malware evade weaker endpoint detection tools.
Telegram as Command and Control
Millennium RAT operators don't need their own infrastructure. The malware uses Telegram's Bot API to receive commands and exfiltrate data, turning a legitimate messaging platform into a covert C2 channel. This approach provides built-in encryption, high availability, and the ability to blend with normal network traffic.
For threat actors, the barrier to entry is minimal: buy a subscription, generate a Telegram bot token, and start deploying.
What Millennium RAT Steals
The malware functions as both a remote access trojan and an infostealer:
- Browser credentials and cookies from Chromium and Firefox-based browsers
- Telegram and Discord session data
- Cryptocurrency wallet files
- Screenshots and webcam captures
- Audio recordings via microphone access
- Keystroke logging
- System and hardware information
It can also encrypt victim files, though ransomware functionality appears secondary to data theft.
Distribution Through Game Cheats
Y2K Operators rely heavily on social engineering, spreading Millennium RAT through:
- Game cheat programs and trainers
- Cracked software and keygens
- Fake hacking tools
- Pirated applications
These distribution channels target a demographic less likely to run enterprise security tools and more likely to disable antivirus when software installation fails.
Geographic Spread
The 62,289 confirmed infections span 160 countries. Group-IB's telemetry shows acceleration rather than plateau—nearly two-thirds of total infections occurred in 2026's first three months. The MaaS model means multiple operators are running independent campaigns using the same malware.
Detection Challenges
The C++ rewrite eliminates artifacts that detection rules built for .NET malware rely on. Combined with Telegram C2, which doesn't exhibit the patterns of traditional infrastructure, security teams may miss Millennium RAT unless they're specifically looking for it.
Organizations should monitor for:
- Unusual Telegram API traffic from workstations
- libcurl-based network activity from unexpected processes
- Credential store access patterns typical of infostealers
- Outbound exfiltration of browser profile data
The server-side credential theft trend we've covered makes infostealers particularly dangerous right now. Even if you detect and remove the malware, any credentials it captured may already be in attacker hands—feeding into ransomware pipelines or sold on credential markets.
For readers unfamiliar with how malware operates, our malware fundamentals guide covers the basics of detection and defense.
Related Articles
OnyxC2 Infostealer Targets 210 Apps, Offers Refunds If Detected
BlackFog researchers detail OnyxC2 MaaS stealer pricing at $250/month. Targets browsers, crypto wallets, password managers with DLL sideloading delivery that bypasses VirusTotal detection.
Jun 12, 2026Storm Infostealer Decrypts Stolen Credentials Server-Side to Evade Detection
New MaaS stealer ships encrypted browser data to attacker infrastructure for decryption, bypassing endpoint detection. Session hijacking with geo-matched proxies defeats MFA.
Jun 4, 2026REMUS Infostealer Evolves Into Session-Stealing MaaS Platform
REMUS, a 64-bit Lumma Stealer successor, now offers session theft, EtherHiding blockchain C2, and full MaaS infrastructure targeting browser credentials and auth tokens.
May 19, 2026108 Chrome Extensions Steal OAuth Tokens and Telegram Sessions
Security researchers expose 108 malicious Chrome extensions operating under five fake publishers, stealing Google OAuth tokens, Telegram sessions, and injecting ads. Over 20,000 users affected.
Apr 16, 2026