KimjongRAT 변종: 정보 탈취에서 원격 접근 확보로의 확장

2026-05-26 Hauri KimjongRAT Variant: Expansion from Information Theft to Securing Remote Access

https://hauri.co.kr/security/security_view.html?intSeq=88&page=1&keyfield=&key=

Attachments

2026-05-26상세분석보고서KimjongRAT변종_정보탈취에서원격접근확보로의확장.pdf (972 KB)

Thumbnail for KimjongRAT 변종: 정보 탈취에서 원격 접근 확보로의 확장

Hauri identified a new KimjongRAT variant related to malware previously disguised as a tax notice. The variant preserves earlier information-stealing behavior but expands collection to Telegram and Discord data, indicating broader targeting of user communications and credentials. As in the earlier version, execution changes depending on firewall status, with PE or script execution selected according to the environment. The final stage installs a MeshCentral-based agent to obtain remote access, showing a move from standalone data theft toward persistent hands-on system control. The added collection scope, activation of previously dormant functions, and abuse of an RMM tool indicate continued development of KimjongRAT for both theft and remote access.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 7bdc5a856ee7d9b1afb1121d5d0e928b 2026-05-26 2026-05-26
HASH 39cd2ab629f61090982b14c78ebb0025 2026-05-26 2026-05-26
HASH 977df98aeb2da4c2a2fc72785829a05d 2026-05-26 2026-05-26
HASH cd04856b4296e9e17d60145d18e55f1d 2026-05-26 2026-05-26
HASH 8cf5ecd89fc371ca3c31fe5a2924dddc 2026-05-26 2026-05-26
HASH 40ed8082923988ba08128a21e45674f6 2026-05-26 2026-05-26
HASH c00eec31c2655847516e40ad2e720183 2026-05-26 2026-05-26
HASH 9aab6cf2119e3e8d8f7c0a11e130e136 2026-05-26 2026-05-26
HASH 7f38442308bb2ad43efe0671873e179f 2026-05-26 2026-05-26
HASH d1fd32db51c6927066a15668a3670693 2026-05-26 2026-05-26
HASH 96ec0c480e13d91f3cb693487e0b11ce 2026-05-26 2026-05-26
HASH eb68bc8c79e55048e8ee4fd22c1b3471 2026-05-26 2026-05-26
HASH d9c3ebc7c9d39f4abd89b68e082b76dc 2026-05-26 2026-05-26
HASH 0db53f4bbd5ca58c7a49994ca525ffcd 2026-05-26 2026-05-26
HASH e0e938b204117354882b577d59c213f1 2026-05-26 2026-05-26
HASH 6873988bec7d6c3dc248de319db7620a 2026-05-26 2026-05-26
HASH 7101f6b8787e2775bb3ed6a52c853ad4 2026-05-26 2026-05-26
DOMAIN nid-naveruzt.servequake.com 2026-05-26 2026-05-26
DOMAIN googleoba.servequake.com 2026-05-26 2026-05-26
URL https://lutkdd.corpsecs.com 2026-05-26 2026-05-26
URL https://link24.kr/7QOEKZY 2026-05-26 2026-05-26
URL https://link24.kr/AlmPeL4 2026-05-26 2026-05-26
URL https://is.gd/iymNuP 2026-05-26 2026-05-26
URL https://is.gd/UJ33CD 2026-05-26 2026-05-26
URL https://is.gd/OdDu0d 2026-05-26 2026-05-26

Related Reports

« Back