3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Millenium RAT

Millenium RAT

ID: ad253209ab14560e6435956c924425c062843
Crimeware RAT Spyware/Stealer
Threat types: Malware, RAT, Remote Access Trojan, Stealer
Unknown
Updated: 2026-03-30
Created: 2026-03-30
Progress: 84% Completeness: 81% Freshness: 90%
Operation zone:
Aliases Limited alias preview
MilleniumRAT
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Millenium RAT is a Windows-focused commodity remote access trojan and stealer publicly marketed through GitHub-linked exposure, a dedicated website, and direct-contact channels. Public reporting and operator-controlled sources show Telegram-based control, credential theft, keylogging, anti-analysis features, and optional persistence and disruptive functions.


Technique Technique name Tactics Evidence
T1102.002 Bidirectional Communication TA0011
  • 2023-11-03 — Vendor reporting states the malware supports remote command execution through the Telegram platform and leverages the Telegram API for communication and file transmission. · ref
  • 2026-03-30 — Actor-controlled site states the tool is fully Telegram-controlled and requires no dedicated server for usage. · ref
T1555 Credentials from Password Stores TA0006
  • 2023-11-03 — Vendor reporting says the malware captures browser data and is intended to exploit sensitive information. · ref
  • 2026-03-30 — Actor-controlled site advertises browser data theft including passwords. · ref
T1539 Steal Web Session Cookie TA0006
  • 2026-03-30 — Actor-controlled site advertises theft of browser cookies and related browser data. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2023-11-03 — Vendor reporting states the malware specializes in capturing keystrokes. · ref
  • 2026-03-30 — Actor-controlled site advertises keylogger functionality and configurable keylogger filename options are noted in vendor reporting. · ref
T1082 System Information Discovery TA0007
  • 2023-11-03 — Vendor reporting states the malware harvests system information. · ref
  • 2026-03-30 — Actor-controlled site advertises collection of PC information including CPU, GPU, RAM, country, and IP. · ref
T1497.001 System Checks TA0005 TA0007
  • 2023-11-03 — Vendor reporting describes evasion tactics targeting sandbox environments. · ref
  • 2026-03-30 — Actor-controlled site advertises Anti-VM and Anti-DoubleLaunch capabilities. · ref
T1622 Debugger Evasion TA0005 TA0007
  • 2023-11-03 — Vendor reporting explicitly references anti-debugging measures. · ref
T1059.001 PowerShell TA0002
  • 2026-03-30 — Actor-controlled site advertises remote PowerShell command execution. · ref
T1059.003 Windows Command Shell TA0002
  • 2026-03-30 — Actor-controlled site advertises remote CMD command execution. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2026-03-30 — INFERENCE (confidence: medium): the advertised 'Auto-StartUp' feature indicates likely use of common Windows autorun persistence mechanisms such as Run keys or Startup folder entries. · ref
T1125 Video Capture TA0009
  • 2026-03-30 — Actor-controlled site advertises webcam capture capability. · ref
T1005 Data from Local System TA0009
  • 2026-03-30 — Actor-controlled site advertises one-command desktop file grabbing and file/folder copy, delete, download, upload, and list actions. · ref
T1204 User Execution TA0002
  • 2026-03-30 — INFERENCE (confidence: medium): as a publicly sold commodity RAT, deployment likely relies on user-triggered execution of a delivered binary or trojanized file. · ref
T1486 Data Encrypted for Impact TA0040
  • 2026-03-30 — INFERENCE (confidence: low-medium): the current operator site advertises encrypting/decrypting user files, suggesting potential impact-oriented functionality, but incident-rich public reporting remains limited. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T03:42:43+00:00
Millenium RAT — Telegram-Controlled Commodity RAT / Stealer Ecosystem

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Malware / Remote Access Trojan (RAT) / Stealer — Origin: Unclear; public sales and developer-facing channels are openly exposed online.

Author: iQBlack CTI Team


Executive Summary

Millenium RAT is a commodity Windows remote access trojan and stealer family publicly marketed through GitHub-linked exposure, a dedicated website, and direct messaging channels. Public reporting from late 2023 first documented versions 2.4 and 2.5, while operator-controlled infrastructure visible in 2025–2026 indicates continued development into the 4.x branch.


The malware is notable less for elite tradecraft than for accessibility, modularity, and the low barrier it creates for less-skilled operators. Publicly advertised features include Telegram-based command-and-control, browser credential and cookie theft, Discord token theft, Telegram data access, keylogging, webcam/microphone capture, privilege elevation, startup persistence, anti-VM and anti-debug logic, and optional destructive or disruptive actions such as encrypting user files or forcing a BSOD.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Millenium RAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Millenium RAT


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T03:47:04+00:00

IOC Appendix — Millenium RAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T03:47:21+00:00

OSINT Library — Millenium RAT


2023-11-03 — CYFIRMA — “Unveiling a New Threat The Millenium RAT”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
t.me/mil********** Restricted Not integrated
Address Verification SOCMINT
app.element.io Restricted Not integrated
Address Verification SOCMINT
milleniumrat.online Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image