Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

KazakRAT

KazakRAT is a Windows-based remote access trojan/implant used in a suspected state-affiliated cyber-espionage campaign active since at least August 2022. Researchers described it as a DLL-based RAT delivered via malicious MSI installers, including lures packaged with Kazakhstan- and Afghanistan-themed decoy documents. Observed decoys included a fake letter from the President of the Republic of Kazakhstan and documents themed around Afghan provincial authorities in Khost. The campaign primarily targeted Kazakh entities, including likely government and financial-sector roles, and also targeted Afghan government-related entities.

KazakRAT is described as a simple, unobfuscated RAT with little evasion. It establishes persistence via the Windows Run registry key and executes through rundll32. Command-and-control communications use unencrypted HTTP, with beaconing every five seconds and command retrieval via HTTP POST requests to /as/include.php using an id derived from the C: drive VolumeSerialNumber. Reported capabilities include host profiling, OS and process enumeration, drive and file enumeration, command execution, downloading and executing additional payloads, searching for files, and exfiltrating files over HTTP POST. Documented commands across variants include exec, disks, info, ctd, upload, and variant-specific file exfiltration commands such as dload, download, and dl.

Researchers reported command-and-control infrastructure active as of 20 January 2026 and identified C2 domains including server.fsocmicrsoft[.]com, dns.freiesasien[.]com, dsn.mamurigovaf[.]site, and dns.microbwt[.]team. One sample reportedly connected to dsn.mamurigovaf[.]site while using the Host header dns.microbwt[.]team. Researchers gained control of the expired domain dns.freiesasien[.]com and sinkholed victim traffic, observing Kazakh IP addresses still beaconing. The activity has been assessed as likely linked to a low-maturity, suspected state-affiliated actor. Overlapping infrastructure was also linked to modified XploitSpy Android spyware used by the same group, but no definitive attribution was established.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Transparent Tribe

During our tracking we identified a Windows-based RAT, delivered as a DLL, that we have coined KazakRAT. KazakRAT allows the threat actor to download and run additional payloads, enumerate and collect host data, and search for and exfiltrate files.

via ctrlaltintel blogctrlaltintel.com
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

The samples identified had all been delivered via .msi files, with different variants of the RAT being delivered using slightly different mechanisms.

Execution

2 techniques
T1106Native APIEvidence1

the RAT will run the executable passed as the parameter using CreateProcessW

T1204.002Malicious FileEvidence2

When the user double-clicks the MSI, the process SysDrive.exe will be ran.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

all observed samples persist using the Run registry key in order to execute the DLL with rundll32

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

all observed samples persist using the Run registry key in order to execute the DLL with rundll32

Stealth

4 techniques
T1036MasqueradingEvidence1

Notably this sample had a decoy Word document, flReport.doc, that is a fake letter from the President of the Republic of Kazakhstan.

T1218System Binary Proxy ExecutionEvidence1

persist using the Run registry key in order to execute the DLL with rundll32

T1218.011Rundll32Evidence1

all observed samples persist using the Run registry key in order to execute the DLL with rundll32

T1564.001Hidden Files and DirectoriesEvidence1

the command ctd allowed the operator to create a hidden directory using CreateDirectoryA and SetFileAttributesW, with the parameter 2 (FILE_ATTRIBUTE_HIDDEN)

Discovery

4 techniques
T1057Process DiscoveryEvidence1

variants A, C, D sample also leveraged the Win32 API function EnumProcesses enumerate PIDs which are then used to get process names

T1082System Information DiscoveryEvidence1

all variants of KazakRAT will collect OS version information using GetVersionExW

T1083File and Directory DiscoveryEvidence1

the command dir also leveraged the above two Win32 API functions to list directories and search for files

T1120Peripheral Device DiscoveryEvidence1

if the command sent to C2 is disks, the RAT will use the function GetLocalDrives() to return a listing of the single character drives that exist on the system

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

Once launched, it connects to an external server at "79.110.49[.]15" for command-and-control (C2) communications

T1071.001Web ProtocolsEvidence1

C2 communications are unencrypted and follow a simple beaconing mechanism over HTTP.

T1105Ingress Tool TransferEvidence2

the upload command can be used to download a file from a remote URL to the victim host

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

the command dload allows the operator to exfiltrate (or download) local files over HTTP POST request

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
the hacker newsNews
Feb 27, 2026
Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms

Remote access trojan family enabling comprehensive remote control and selective post-compromise capability deployment; suspected state-affiliated use targeting Kazakh and Afghan entities in a campaign ongoing since at least August 2022.

Read more
security online infoNews
Jan 27, 2026
"G_Wagon" Malware Hides in Fake NPM UI Library to Steal Cloud Keys

Post navigation Previous: Hijacking the Hackers: Researchers Sinkhole “KazakRAT” Espionage Campaign

Read more
security online infoNews
Jan 27, 2026
Hijacking the Hackers: Researchers Sinkhole "KazakRAT" Espionage Campaign

DLL-based Windows remote access trojan used for espionage. Capabilities include downloading/executing additional payloads, enumerating/collecting host data, searching for and exfiltrating files. Uses simple, unencrypted HTTP beaconing to C2 and appears largely unobfuscated.

Read more
security online infoNews
Jan 27, 2026
The CAPTCHA Trap: ClearFake Malware Tricks Users Into Hacking Themselves

Only mentioned in navigation text as part of a separate espionage campaign; no technical details provided in the analyzed content.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.