KimJongRAT

KimJongRAT is an information-stealing malware family associated in the provided reporting with North Korean activity, particularly Kimsuky / NICKEL KIMBALL. Variants have been observed since at least the 2010s, with reporting noting earlier public descriptions in 2013 and additional variants documented in 2019 and 2025. The malware targets Windows systems and is commonly delivered through spear-phishing and socially engineered lures, including ZIP archives masquerading as tax notices, malicious LNK files disguised as documents or PDFs, HTA droppers executed via mshta.exe, and both PE/DLL-based and PowerShell-based chains. Reporting also notes use of phishing, DOC, and PowerShell-based attacks against Korean users, and abuse of legitimate hosting/services such as cdn.glitch[.]global, GitHub, Google Drive, and URL-shortening services.

Across the cited analyses, KimJongRAT is described as modular malware focused on credential theft and information exfiltration. It collects system information, browser data, browser storage artifacts, cookies, credentials, and browser encryption material including the Chromium master key used to decrypt stored browser data. Reported targets also include cryptocurrency wallet browser extensions and wallet data, FTP credentials, email client credentials, Discord data, Telegram data, and account credentials for Korean internet services such as Nate, Naver, and Kakao. Historical reporting cited in the content states KimJongRAT stole email credentials from Microsoft Outlook and Mozilla Thunderbird and web credentials for Google, Facebook, and Yahoo from Internet Explorer, Chrome, Firefox, and Yandex Browser. One analyzed variant staged stolen data under temporary paths and compressed artifacts into %localappdata%\micro.log.zip for exfiltration; another report states stolen data was written to %APPDATA%\Microsoft\ttmp.log beginning with AAAAFFFF0000CCCC followed by base64-encoded credentials.

Recent variants show expanded post-compromise capability beyond pure theft. The content states newer KimJongRAT variants can switch between PE and PowerShell payloads depending on Windows Defender status, using adaptive evasion to maintain execution. The PE variant described uses an HTA to drop sys.dll/baby.dll and user.txt, then downloads RC4-encrypted payloads such as net64.log and main64.log from cdn.glitch[.]global. The PowerShell variant drops pipe.zip containing 1.ps1, 1.log, 2.log, and 1.vbs, and establishes persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurityCheck. Reported capabilities include anti-VM/sandbox checks, mutex creation (co_sys_co), keylogging, clipboard capture, periodic C2 communications, XOR/RC4 protection of payloads and exfiltrated content, and use of HTTP GET and POST for command retrieval and uploads. The latest variant referenced in the content expands collection to Telegram and Discord and, in its final stage, installs a MeshCentral-based agent to obtain remote access, indicating evolution from a stealer toward persistent remote access through abuse of an RMM tool.

The content provides infrastructure and indicators for some variants, including staging on cdn.glitch[.]global and C2 base URLs 131.153.13[.]235/sp/, 131.153.13[.]235/service/, secservice.ddns[.]net/service2/, and srvdown.ddns[.]net/service3/. Additional filenames and artifacts directly mentioned include pdf.hta, sfmw.hta, sexoffender.pdf, pipe.zip, net64.log, main64.log, 1.ps1, 1.log, 2.log, 1.vbs, %localappdata%\user.txt, %localappdata%\micro.log.zip, and %APPDATA%\Microsoft\ttmp.log. Overall, the provided content consistently characterizes KimJongRAT as a Kimsuky-linked Windows stealer that has evolved into a more flexible, multi-stage malware family with credential theft, browser decryption, crypto-wallet targeting, anti-analysis, persistence, and in newer variants, remote-access enablement.