Home > Security > Security News

Python-Based Triton RAT Threatens Roblox User Account Credentials

Published on March 31, 2025
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A newly identified threat known as Triton RAT targets Roblox users. This Python-based Remote Access Tool (RAT), openly available on GitHub, allows attackers to compromise systems remotely and exfiltrate sensitive data using Telegram bots. 

With alarming capabilities to steal credentials and bypass security measures, Triton RAT emerges as a significant cybersecurity concern, Cado Security Labs has uncovered.

Triton RAT is designed to retrieve Telegram Bot tokens and chat IDs stored in Base64 format from Pastebin, establishing a communication channel to the attacker-controlled Telegram bot for data exfiltration and command execution.

Function used to search for and exfiltrate Roblox security cookies | Source: Cado Security Labs

Credential theft involves retrieving saved passwords from browsers such as Chrome, Edge, and Firefox. Another concerning aspect is the breach of Roblox accounts, where attackers specifically target Roblox security cookies (.ROBLOSECURITY) to bypass two-factor authentication and gain unauthorized account access. 

Secondary payload retrieved from DropBox | Source: Cado Security Labs

System control capabilities include remote shell command execution, screen recording, webcam access, and file upload/download functionalities. To maintain a persistent presence, it disables Windows Defender using VBScript and creates scheduled tasks for automatic execution upon system startup. 

Additionally, it incorporates anti-analysis mechanisms to detect and evade tools like xdbg, ollydbg, and popular antivirus software.

Triton RAT scans directories such as AppData, decrypting and storing sensitive information like passwords and Roblox security cookies in designated text files. These files are subsequently exfiltrated to the attacker's Telegram bot.

The RAT retrieves a binary named "ProtonDrive.exe" from Dropbox using a BAT script. Stored in hidden file paths, this binary establishes a persistent backdoor by creating scheduled tasks to trigger at user logon.

The malware employs sophisticated defense-evasion techniques, such as file resizing, which may bypass antivirus scans for files exceeding specific size limits.

Roblox users are particularly vulnerable due to the targeting of .ROBLOSECURITY cookies, which facilitate account access without requiring authentication steps. Furthermore, with over 4,500 messages recorded on the associated Telegram bot, the scale of potential infections is concerning, albeit unconfirmed.

Add a Comment
Related
Pixelated image of a skull
New Process Injection Technique ‘Waiting Thread Hijacking’ Is Stealthier Thread Execution Hijacking
malware
TookPS Malware Impersonates UltraViewer, AutoCAD, SketchUp, Ableton Software
BlackSuit Ransomware Fake Zoom Installer
Fake Zoom Installer Deploys BlackSuit Ransomware in Enterprise-Targeted Attack
DeepSeek AI Model Jailbreak Allows Providing Malware Code for ‘Educational Purposes Only’
Nova Malware
Hackers Use Telegram as Malicious C2 Centers to Distribute ‘Nova’ Malware
BianLian ransomware
Black Basta & Cactus Ransomware Leverage MS Teams, Quick Assist, BackConnect in New Campaign
Most Popular
movies 2025
2025 Movie Release Dates: Calendar for Theatrical and Streaming Dates
TV shows February 2025
2025 TV Premiere Dates: New & Returning TV Series Calendar
Alan Ritchson in The Ministry of Ungentlemanly Warfare
War Machine: Know Everything About Alan Ritchson’s new Sci-Fi Movie
Anonymous hackers dressed up with claws and mask carrying out an attack
NighSpire Stole 30GB Data from France’s Municipality of Ardon, Set to Leak it on 30 April
iHostage
iHostage Movie: Decoding the true Story Behind the Harrowing Amsterdam Hostage Crisis
Abby in The Last of Us Season 2 and in The Last of Us Part II game
The Last of Us Season 2: Will Ellie kill Abby?
2025 Movie Release Dates: Calendar for Theatrical and Streaming Dates
2025 TV Premiere Dates: New & Returning TV Series Calendar
War Machine: Know Everything About Alan Ritchson’s new Sci-Fi Movie
NighSpire Stole 30GB Data from France’s Municipality of Ardon, Set to Leak it on 30 April
iHostage Movie: Decoding the true Story Behind the Harrowing Amsterdam Hostage Crisis
The Last of Us Season 2: Will Ellie kill Abby?

Most Popular
movies 2025
2025 Movie Release Dates: Calendar for Theatrical and Streaming Dates
TV shows February 2025
2025 TV Premiere Dates: New & Returning TV Series Calendar
Alan Ritchson in The Ministry of Ungentlemanly Warfare
War Machine: Know Everything About Alan Ritchson’s new Sci-Fi Movie
Anonymous hackers dressed up with claws and mask carrying out an attack
NighSpire Stole 30GB Data from France’s Municipality of Ardon, Set to Leak it on 30 April
iHostage
iHostage Movie: Decoding the true Story Behind the Harrowing Amsterdam Hostage Crisis
Abby in The Last of Us Season 2 and in The Last of Us Part II game
The Last of Us Season 2: Will Ellie kill Abby?
2025 Movie Release Dates: Calendar for Theatrical and Streaming Dates
2025 TV Premiere Dates: New & Returning TV Series Calendar
War Machine: Know Everything About Alan Ritchson’s new Sci-Fi Movie
NighSpire Stole 30GB Data from France’s Municipality of Ardon, Set to Leak it on 30 April
iHostage Movie: Decoding the true Story Behind the Harrowing Amsterdam Hostage Crisis
The Last of Us Season 2: Will Ellie kill Abby?

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: