New Python RAT Targets Gamers via Minecraft

Oct. 22, 2025, 8:06 p.m.

Description

A new multi-function Python RAT has been discovered targeting gamers through Minecraft. The malware, posing as a legitimate Minecraft client called 'Nursultan Client', uses the Telegram Bot API for command and control. It has capabilities including screenshot capture, webcam access, Discord token theft, and URL opening on victim machines. The malware attempts to persist on Windows systems but has flaws in its implementation. It specifically targets Discord authentication tokens and performs system reconnaissance. The use of Telegram for C2 and the focus on gamers suggests a Malware-as-a-Service model, with the author likely selling customized versions to other threat actors.

External References

https://www.netskope.com/blog/new-python-rat-targets-gamers-via-minecraft
https://otx.alienvault.com/pulse/68f92a454b142cf4c6c98c2b
Tags
surveillance
rat
python
minecraft
discord
telegram
gaming
2025-10-22
token theft
nursultan client

Date

  • Created: Oct. 22, 2025, 7:02 p.m.
  • Published: Oct. 22, 2025, 7:02 p.m.
  • Modified: Oct. 22, 2025, 8:06 p.m.

Indicators

  • 847ef096af4226f657cdd5c8b9c9e2c924d0dbab24bb9804d4b3afaf2ddf5a61
Download all indicators here!

Attack Patterns

  • Nursultan Client

Additional Informations

  • Gaming