PROBABLYPWNED
MalwareJuly 5, 20263 min read

Millennium RAT Rewritten in C++, Infects 62,000 Devices in 160 Countries

Group-IB tracks Y2K Operators distributing upgraded Millennium RAT through game cheats and cracked software. Telegram serves as C2 channel.

James Rivera

Group-IB researchers have documented a major upgrade to Millennium RAT, with version 4 rewritten entirely in C++ and distributed through a malware-as-a-service model for as little as $50 per month. The threat actor cluster tracked as Y2K Operators has infected 62,289 devices across 160 countries, with 39,730 infections occurring in Q1 2026 alone.

The rewrite drops the .NET framework dependency that made earlier versions easier to detect. Native C++ compilation, combined with libcurl for network communications, helps the malware evade weaker endpoint detection tools.

Telegram as Command and Control

Millennium RAT operators don't need their own infrastructure. The malware uses Telegram's Bot API to receive commands and exfiltrate data, turning a legitimate messaging platform into a covert C2 channel. This approach provides built-in encryption, high availability, and the ability to blend with normal network traffic.

For threat actors, the barrier to entry is minimal: buy a subscription, generate a Telegram bot token, and start deploying.

What Millennium RAT Steals

The malware functions as both a remote access trojan and an infostealer:

  • Browser credentials and cookies from Chromium and Firefox-based browsers
  • Telegram and Discord session data
  • Cryptocurrency wallet files
  • Screenshots and webcam captures
  • Audio recordings via microphone access
  • Keystroke logging
  • System and hardware information

It can also encrypt victim files, though ransomware functionality appears secondary to data theft.

Distribution Through Game Cheats

Y2K Operators rely heavily on social engineering, spreading Millennium RAT through:

  • Game cheat programs and trainers
  • Cracked software and keygens
  • Fake hacking tools
  • Pirated applications

These distribution channels target a demographic less likely to run enterprise security tools and more likely to disable antivirus when software installation fails.

Geographic Spread

The 62,289 confirmed infections span 160 countries. Group-IB's telemetry shows acceleration rather than plateau—nearly two-thirds of total infections occurred in 2026's first three months. The MaaS model means multiple operators are running independent campaigns using the same malware.

Detection Challenges

The C++ rewrite eliminates artifacts that detection rules built for .NET malware rely on. Combined with Telegram C2, which doesn't exhibit the patterns of traditional infrastructure, security teams may miss Millennium RAT unless they're specifically looking for it.

Organizations should monitor for:

  • Unusual Telegram API traffic from workstations
  • libcurl-based network activity from unexpected processes
  • Credential store access patterns typical of infostealers
  • Outbound exfiltration of browser profile data

The server-side credential theft trend we've covered makes infostealers particularly dangerous right now. Even if you detect and remove the malware, any credentials it captured may already be in attacker hands—feeding into ransomware pipelines or sold on credential markets.

For readers unfamiliar with how malware operates, our malware fundamentals guide covers the basics of detection and defense.

Related Articles