xRAT
xRAT is a remote access trojan described in the provided content as an open-source RAT based on Quasar RAT and also referred to as QuasarRAT. It has been observed in multiple contexts. AhnLab/ASEC reported that the North Korean-aligned Kimsuky group used xRAT in an intrusion discovered in January 2022, deploying it as cp1093.exe after installing a Gold Dragon variant. In that case, xRAT copied powershell_ise.exe into C:\ProgramData\ and was executed via process hollowing to provide remote control and collect information from the infected system. The broader Kimsuky reporting also lists xRAT among the group’s malware arsenal alongside PebbleDash, BabyShark, AppleSeed, RandomQuery, XenoRAT, and TutRAT.
The malware has also been distributed to Windows users in Korea through webhard/file-sharing services disguised as fake adult games. In that campaign, a ZIP archive contained Game.exe and supporting .Pak files; Game.exe acted as a launcher, Data2.Pak/GoogleUpdate.exe functioned as an injector, and Data3.Pak/WinUpdate.db contained shellcode. The malware copied components into AppData\Local\Microsoft\Windows\Explorer, decrypted shellcode with AES, injected it into explorer.exe, and patched EtwEventWrite to disable ETW logging for evasion. The final xRAT payload was reported to collect system information, monitor keystrokes, and transfer files. Reported related indicators in this campaign include MD5 hashes 0d7d5c3becd8ac77448bd81298b85c1e, 5af364e661245b8238ba8b1a12d3d19d, da9c10bbc776bde0b65be877e7c96dd8, ea14a4e7606ed9d1c7a21e1aed4d067d, and C2 FQDN tosal30.kro.kr.
A separate software supply-chain campaign on PyPI used a Flask-based RAT referred to as xrat. In that activity, malicious Python packages including pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles installed information-stealing malware and the RAT. The xrat component could steal the victim’s username and IP address, run shell commands, exfiltrate files and directories, execute Python code, download and launch additional payloads, and provide a low-frame-rate live remote desktop feed. That campaign also used Cloudflare Tunnel for remote access and stole browser data, Discord tokens, Telegram data, cookies, passwords, and cryptocurrency wallets before exfiltration.
Additional indicators directly mentioned for Kimsuky-related xRAT activity include MD5 hashes 070f0390aad17883cc8fad2dc8bc81ba, 40b428899db353bb0ea244d95b5b82d9, 4ea6cee3ecd9bbd2faf3af73059736df, and b841d27fb7fee74142be38cee917eda5; URLs http://45.77.71.50:8082/ and https://sk5621.com.co/; and FQDNs kr5829.co.in and sk5621.com.co.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware... The six malicious packages that Phylum detected are the following: pyrologin, easytimestamp, discorder, discord-dev, style.py, pythonstyles.
Execution
1 technique
Execution
The Flask app used by the attackers, also known as 'xrat,' can steal the victim's username and IP address, run shell commands on the breached machine, exfiltrate specific files and directories, execute Python code, or download and launch additional payloads.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Injection method is same as the method used by the original Gold Dragon (behavior of process hollowing on iexplore.exe, svchost.exe,etc.) ... Once cp1093.exe is executed, it copies a normal powershell process (powershell_ise.exe) to the “C:\ProgramData\”path and executes xRAT via process hollowing technique.
Stealth
2 techniques
Stealth
Injection method is same as the method used by the original Gold Dragon (behavior of process hollowing on iexplore.exe, svchost.exe,etc.) ... Once cp1093.exe is executed, it copies a normal powershell process (powershell_ise.exe) to the “C:\ProgramData\”path and executes xRAT via process hollowing technique.
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
Collection
4 techniques
Collection
The stolen data includes cryptocurrency wallets, browser cookies and passwords, Telegram data, Discord tokens, and more.
One of the files in the ZIP, 'server.pyw,' launches four threads... one to start a keystroke logger... The malicious packages attempt to steal sensitive user information stored in browsers, run shell commands, and use keyloggers to steal typed secrets.
Command and Control
3 techniques
Command and Control
The script now runs 'cftunnel.py,' also included in the ZIP archive, that is used to install a Cloudflare Tunnel client on the victim's machine... The threat actors use this tunnel to remotely access a remote access trojan running on the infected device... even if a firewall protects that device.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
xRAT (QuasarRAT) is a remote access trojan that enables attackers to collect system information, monitor keystrokes, and transfer files without authorization. It uses sophisticated evasion and persistence techniques, including process injection and disabling Windows event logging, to avoid detection and maintain access.
Remote Access Trojan (RAT) that provides attackers with capabilities such as system information collection, keylogging, file download/upload, and remote control. In this campaign, it is injected into explorer.exe and disables ETW event logging for stealth.
A remote access trojan delivered via malicious PyPI packages that also includes information-stealing capabilities. It can execute shell commands, exfiltrate files, run Python code, download additional payloads, capture a live remote desktop feed, and steal system and user data.
An open-source Quasar RAT-based remote access trojan used to remotely control infected systems and perform information theft. In this case, it was installed as cp1093.exe, copied powershell_ise.exe into C:\ProgramData\, and executed via process hollowing.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.