A sophisticated Python-based Remote Access Tool (RAT) named Triton has emerged as a significant threat, utilizing Telegram as its command and control infrastructure.
This malware enables attackers to remotely access and control compromised systems, with particular emphasis on harvesting Roblox credentials and security cookies that can bypass two-factor authentication.
The RAT begins operation by retrieving its Telegram Bot token and chat ID from Pastebin through Base64-encoded URLs, establishing a covert communication channel.
.webp)
Once deployed, Triton RAT offers comprehensive system control capabilities including keylogging, password theft, screen recording, webcam access, and clipboard data exfiltration.
Cado Security researchers identified this threat while investigating a series of compromises, noting the RAT’s extensive feature set makes it particularly dangerous in targeted attacks.
Triton RAT Analysis
Analysis revealed the malware’s code contains functions that systematically extract saved credentials from multiple browsers and specifically targets Roblox security cookies (.ROBLOSECURITY) from Chrome, Brave, and Firefox profiles.
.webp)
The infection leverages social engineering techniques to gain initial access, after which it collects extensive system information including hardware specifications, network configurations, and user account details.
All collected data is efficiently transmitted to the attacker via Telegram, allowing for real-time monitoring and control of the compromised system.
The RAT demonstrates sophisticated persistence tactics by creating multiple components that work together to maintain access.
.webp)
The malware generates a VBScript file named “updateagent.vbs” that disables Windows Defender and creates scheduled tasks, while a separate BAT script “check.bat” retrieves a binary named “ProtonDrive.exe” from DropBox.
.webp)
This secondary payload is stored in a hidden folder structure at “C:\Users\user\AppData\Local\Programs\Proton\Drive” and executed with administrator privileges.
def robloxl(message):
data = []
try:
cookies = browser_cookie3.chrome(domain_name='roblox.com')
for cookie in cookies:
if cookie.name == '.ROBLOSECURITY':
data. Append(cookie. Value)
Triton further employs anti-analysis techniques by checking for “blacklisted” processes including debugging tools and antivirus products, demonstrating its creators’ intent to evade detection while maintaining persistent control over compromised systems.
Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now