MoonPeak
MoonPeak is a customized .NET remote access trojan and a variant of the open-source XenoRAT codebase. Reporting in the provided content links it to DPRK-aligned activity, including campaigns attributed to Kimsuky/Velvet Chollima, and describes it as used in financially motivated as well as South Korea-focused intrusion activity.
Observed delivery chains include phishing and social-engineering lures using malicious Windows LNK files and counterfeit software. In one January 2026 campaign observed by Internet Initiative Japan (IIJ), Windows users in South Korea were targeted with an LNK file disguised as a PDF about trading ("실전 트레이딩 핵심 비법서.pdf.lnk"). Opening the shortcut displayed a decoy PDF while silently launching obfuscated PowerShell. The first-stage script performed anti-analysis checks for VMware, VirtualBox, and numerous analyst tools including dnSpy, IDA, x64dbg, Wireshark, and Process Monitor; if detected, execution terminated. The chain used randomized temporary files, communicated with hxxp://mid[.]great-site[.]net and POSTed host data to /maith.php, then downloaded a disguised payload from GitHub at macsim-gun/FinalDocuoctobor.docx. That payload unpacked to a .NET assembly named Stella.exe, identified as MoonPeak. IIJ reported persistence via a scheduled task using WScript.exe, ConfuserEx obfuscation, anti-tamper protections, dynamic code decryption, mutex "Dansweit_Hk65-PSAccerdle," and C2 at 27.102.137[.]88:443. Reported hashes in that campaign were 1553bfac012b20a39822c5f2ef3a7bd97f52bb94ae631ac1178003b7d42e7b7f for the LNK, aaac6eadac6c325bfc69b561d75f7cfd979ac289de1cc4430c5cc9a9a655b279 for octobor.docx, and 8de36cb635eb87c1aa0e8219f1d8bf2bb44cad75b58ef421de77dd1aae669bf4 for Stella.exe.
The content also describes MoonPeak as the terminal payload in a Velvet Chollima/Kimsuky cryptocurrency-focused campaign active since June 2025. In that operation, a fake trading application named Tralert FX, signed with an EV certificate issued to AgilusTech LLC, staged multiple components and ultimately installed MoonPeak with persistence via Windows scheduled tasks. That broader chain included reconnaissance, keylogging, browser credential theft, and wallet theft, and used GitLab for payload delivery, command-and-control, and exfiltration. Associated infrastructure included domains such as tralert.online, tralert7.com, tralert.site, tralert.store, talert.online, talert.site, talert.store, talert.space, trumpalert.store, and endava.online, with 161.97.113.34 identified as primary C2/GitLab API infrastructure and 91.107.246.107 as a hard-coded fallback C2.
Across the provided reporting, MoonPeak is consistently described as a stealth-enhanced XenoRAT variant with remote-access functionality. The source material explicitly notes GitHub-based delivery/C2 for XenoRAT and MoonPeak in prior Kimsuky-attributed activity, and states MoonPeak incorporates enhanced stealth features and advanced capabilities relative to earlier XenoRAT variants. Targeting in the cited campaigns includes Windows systems in South Korea and retail cryptocurrency traders.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The terminal payload is MoonPeak, a customised variant of the open-source XenoRAT codebase (.NET), persisted via Windows scheduled tasks.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Resource Development
2 techniques
Resource Development
Initial Access
1 technique
Initial Access
Execution
4 techniques
Execution
The malware creates randomized temporary folders and files to evade file-based detection, then establishes persistence through scheduled task creation using WScript.exe.
This social engineering approach exploits users’ trust in document files while leveraging a hidden PowerShell script execution mechanism... an obfuscated PowerShell script executes silently in a hidden window.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
The malware creates randomized temporary folders and files to evade file-based detection, then establishes persistence through scheduled task creation using WScript.exe.
The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials... This activity is significant as it indicates a potential privilege escalation attempt... Annotations ID Technique Tactic T1548 Abuse Elevation Control Mechanism Defense Evasion
Stealth
6 techniques
Stealth
The downloaded file is obfuscated through GZIP compression and header manipulation... This executable is MoonPeak malware, heavily obfuscated using ConfuserEx ... encrypts strings and code to defeat static analysis.
The attack begins with a deceptive LNK file named “실전 트레이딩 핵심 비법서.pdf.lnk” ... The second-stage PowerShell script downloads a masked executable from a GitHub repository ... The downloaded file is obfuscated through GZIP compression and header manipulation, extracting to a .NET assembly named “Stella.exe.”
When users open the LNK file, two actions occur simultaneously: a decoy PDF document is displayed to maintain the illusion of a legitimate file, while an obfuscated PowerShell script executes silently
Some second-stage components are distributed as single-line base64-encoded PowerShell scripts that decode-and-execute a complete PE in-memory.
Credential Access
2 techniques
Credential Access
Discovery
4 techniques
Discovery
The initial PowerShell script communicates with the attacker’s command-and-control infrastructure ... transmitting system information including hostname, OS version, and process lists
The initial PowerShell script communicates with the attacker’s command-and-control infrastructure ... transmitting system information including hostname, OS version, and process lists
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
The initial PowerShell script communicates with the attacker’s command-and-control infrastructure at “hxxp://mid[.]great-site[.]net,” transmitting system information including hostname, OS version, and process lists via POST requests to “/maith.php.”
The same GitHub repositories are used to store additional modules and commands, allowing operators to maintain persistent control over compromised systems while blending into trusted platforms.
IOCs tracked for this family
19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A variant of Xeno RAT delivered using GitHub as command-and-control infrastructure.
Associated Analytic Story DarkCrystal RAT ... DarkGate Malware ... MoonPeak ... NjRAT ... Quasar RAT ... XWorm
A named malware/tool referenced in associated analytic stories, but not further described in the content.
Associated Analytic Story AsyncRAT Data Destruction Hermetic Wiper Industroyer2 LockBit Ransomware Malicious Inno Setup Loader Malicious PowerShell MoonPeak Qakbot Quasar RAT Scattered Spider
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.