JSAC2026_1_9_takuma_matsumoto-yoshihiro_ishikawa_en.pdf (5 MB)

Konni, described as a North Korea-related APT actor active since at least 2014, used a May 2025 spear-phishing campaign against organizations associated with Japanese financial interests to deploy a new AutoIt-based RAT named GSRAT. The infection chain used LNK files and AutoIt scripts: the LNK located powershell.exe, executed embedded obfuscated script, dropped a decoy, downloaded a CAB file from a compromised site, extracted files under C:\Users\Public\documents, and launched start.vbs to install the payload components. GSRAT, also referenced as EndRAT, EndClient RAT, or AutoItRAT, is a compiled AutoIt v3 payload that creates victim identifiers from host hardware details, communicates with C2 servers, and supports remote shell access, server-to-victim file delivery, victim-to-server file exfiltration, and directory listing. The excerpt also notes persistence through startup shortcuts or scheduled tasks, abuse of WordPress-based staging sites and VPS or hosting services for C2, and later observations of GSRAT distribution through KakaoTalk in South Korea.