Triton Uses Telegram, a RAT with advanced Python-based malware that uses Telegram for command and control, making detection harder. Initially targeting Roblox users, it focuses on extracting credentials and bypassing two-factor authentication. The RAT retrieves a Telegram Bot token and chat ID from Pastebin using Base64-encoded URLs, establishing covert communication with the attacker. Once deployed, Triton offers full system control, including keylogging, password theft, screen recording, webcam access, and clipboard exfiltration.
The malware specifically targets saved credentials in browsers like Chrome, Brave, and Firefox, focusing on Roblox security cookies. It uses social engineering to gain access, then collects system information, network data, and user account details, which are sent to the attacker via Telegram. Triton also employs advanced persistence techniques by disabling Windows Defender and creating scheduled tasks.
It retrieves secondary payloads, such as “ProtonDrive.exe,” from cloud storage, executing them with administrator privileges.
Triton ensures long-term access by injecting malicious code into system processes and creating hidden folders to store payloads. The RAT also uses a VBScript named “updateagent.vbs” to maintain access even after system reboots.
Triton Uses Telegram: Hides its ability to operate without being detected is enhanced by anti-analysis techniques that block security tools and debugging software, preventing the malware from being discovered.
Triton’s design allows it to maintain persistent control over compromised systems, making it a significant threat. It can steal sensitive data, bypass security measures, and remain undetected, particularly affecting Roblox users. The evolving sophistication of this malware underlines the importance of advanced security measures and constant monitoring to defend against such targeted cyberattacks.
There have been similar attacks on Roblox users, such as Malicious NPM Packages Target Roblox Users.
A cybersecurity campaign has targeted the npm package repository with malicious JavaScript libraries designed to infect Roblox users with data-stealing malware. The rogue packages, such as “node-dlls” and “rolimons-api,” masqueraded as legitimate libraries, exploiting developers’ trust. These malicious packages were designed to be downloaded and executed, secretly deploying two types of stealer malware—Skuld, written in Go, and Blank-Grabber, written in Python. Once the malware is activated, it collects sensitive information from the infected systems and sends it back to the attacker via Discord webhook or Telegram.
