A newly identified remote access trojan (RAT) dubbed Steaelite is streamlining cyberattacks by bringing data theft and ransomware into a single, browser-based control panel, lowering the barrier to entry for would-be cyber criminals.
Security researchers at BlackFog report in a blog that the tool, which first appeared on ransomware networks in November 2025, gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from one dashboard.
This package significantly speeds up attacks and lowers the barrier to entry for criminals, the researchers noted – and comes complete with a promotional YouTube video demonstrating the tool’s capabilities.
The report states it “describes itself as a ‘best Windows RAT’ with ‘fully undetectable’ capabilities,” while advertising compatibility with Windows 10 and 11.”
So far, researchers have documented 87 messages mentioning the trojan across multiple threads and forums.
How the Steaelite trojan operates
Inside the Steaelite control panel, everything is designed to make attacks simple and fast.
The browser-based dashboard shows infected machines in real time, displaying system details that help operators quickly assess targets.
From the main toolbar, attackers can run remote commands, browse and download files, stream the victim’s screen, and activate webcams or microphones.
Additional sections group more intrusive capabilities, including installing ransomware, hidden remote desktop access, tracking what victims type, and tools for maintaining access.
A built-in file manager allows data to be exfiltrated with a few clicks, while a cryptocurrency clipper can secretly swap copied wallet addresses to redirect funds.
By placing surveillance, credential theft , file exfiltration and ransomware in one clear interface, researchers emphasize how such a panel removes the need for multiple tools, lowering the technical barrier to entry for those looking to carry out double extortion attacks.
Strong password generator
“Previously, double extortion required malware for initial access and exfiltration, then a separate ransomware payload for encryption, often involving coordination between initial access brokers and ransomware affiliates. Steaelite puts both in the same interface.”
BlackFog researcher
Researchers also warn that the malware begins stealing data immediately after infection, allowing a full spectrum extortion.
“When a new victim connects, Steaelite automatically harvests browser-stored passwords, session cookies, and application tokens before the operator issues any commands.”
Android version
The researchers note that the control panel also advertises an Android version of the ransomware currently in development, suggesting the operators plan to expand attacks beyond Windows PCs to target mobile devices.
The report concludes that the combination of features on offer in Steaelite represents a broader shift in ransomware operations.
“For organizations, the line between data theft and ransomware is disappearing at the tooling level,” they warn.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked