A cheap, Telegram-controlled remote access trojan (RAT) dubbed Millenium RAT has infected over 60,000 Windows devices across more than 160 countries, most of them in the first three months of 2026.

New analysis by security firm Group-IB found that the malware's latest version has been rewritten from the .NET framework to native C++, which helps it evade weaker detection tools. 

Millenium RAT is sold cheaply as malware-as-a-service (MaaS) and uses the Telegram Bot API to receive commands, so its operators need no server of their own.

A Rewrite Built to Evade Detection

Millenium RAT first appeared in 2023 as a .NET program. The company said version four drops that dependency entirely, compiling as a native C++ application that uses the libcurl library to talk to Telegram. 

Routing commands through a legitimate messaging service lets the malware hide its traffic among normal network activity.

As a full RAT, Millenium RAT can steal data from browsers, log keystrokes, capture screenshots and record audio. It can also download and run other files and some commands encrypt files or trigger a blue screen.

Group-IB noted the malware uses no exploits, relying entirely on standard Windows functions. It attempts to gain administrative rights by displaying a standard User Account Control (UAC) prompt and hoping the victim approves.

Read more on RATs sold as a service: New SilabRAT Trojan Hijacks Sessions to Steal Crypto

Cheap Subscriptions and Booby-Trapped Lures

A developer using the name ShinyEnigma has been observed selling Millenium RAT on underground forums, on GitHub and through a dedicated website, charging $50 for the first month and $10 a month thereafter or $90 for lifetime access.

Group-IB attributed the campaigns to a cluster it tracks as the Y2K Operators and said its telemetry counted 62,289 infections, 39,730 in the first quarter of 2026 alone.

The Y2K Operators lean on social engineering, spreading the trojan through booby-trapped downloads disguised as game cheats, cracked software and hacking tools.

In one observed case, the researchers said the operators also target fellow criminals, backdooring popular tools such as AsyncRAT and XWorm so that other attackers infect themselves. Once installed, the malware often masquerades as a Windows system file before exfiltrating data.

With new versions still appearing, Group-IB expects more features and anti-forensic tricks to follow. The firm urged users to be wary of unexpected elevation prompts and to avoid running files from untrusted sources, since the cheap subscription model puts a capable trojan within reach of even low-skilled attackers.