Kong RAT

detected a sophisticated multi-stage malware campaign targeting Chinese-speaking developers and IT professionals through Search engine optimization (SEO) poisoning. Victims searching for popular Chinese developer tools including FinalShell SSH client, Xshell, QuickQ VPN, and Clash proxy, were redirected to convincing lookalike domains that delivered trojanized installers.

Persistence is achieved via Windows Scheduled Task created through direct RPC (NdrClientCall3) bypassing standard Task Scheduler COM interfaces. Tasks are named SimpleActivityScheduleTimer_{GUID} with a random GUID suffix per installation.

20 Execute "C" field as cmd.exe /c "<command>" with stdout/stderr pipe capture, return output to C2

Persistence is achieved via Windows Scheduled Task created through direct RPC (NdrClientCall3) bypassing standard Task Scheduler COM interfaces.

Persistence is achieved via Windows Scheduled Task created through direct RPC (NdrClientCall3) bypassing standard Task Scheduler COM interfaces. Tasks are named SimpleActivityScheduleTimer_{GUID} with a random GUID suffix per installation.

The C2 operator can remotely migrate the victim to a new C2 server using command T=15, persisting the new server address to HKCU\Software\Kong\Client\Login\Permanent to survive process restarts.

Persistence is achieved via Windows Scheduled Task created through direct RPC (NdrClientCall3) bypassing standard Task Scheduler COM interfaces. Tasks are named SimpleActivityScheduleTimer_{GUID} with a random GUID suffix per installation.

Under the PEB lock (FastPebLock), it overwrites both ImagePathName and CommandLine in ProcessParameters with C:\windows\explorer.exe. Any tool querying the PEB for process identity - including security products - will see explorer.exe instead of the real executable.

Received DLLs are loaded and their "run" export executed with "x.x-x.icu" as parameter.

the later stage performs a silent UAC bypass using the CMSTPLUA COM elevation moniker ({3E5FC7F9-9A51-4367-9063-A120244FBEC7}) combined with PEB masquerading as explorer.exe - requiring no user interaction.

The shellcode in oob.xml uses PEB walking and stack string obfuscation for API resolution.

The payload (zj.mp4) uses the extension ".mp4" to masquerade as a MP4 file despite being a Windows DLL.

Under the PEB lock (FastPebLock), it overwrites both ImagePathName and CommandLine in ProcessParameters with C:\windows\explorer.exe. Any tool querying the PEB for process identity - including security products - will see explorer.exe instead of the real executable.

Received DLLs are loaded and their "run" export executed with "x.x-x.icu" as parameter.

The remote module requires a valid C2 configuration parameter to activate - without it the module defaults to 127.0.0.1 and produces no observable malicious behavior in automated sandbox analyses.

The downloaded zj.mp4 Windows DLL is loaded in memory using a custom reflective PE loader.

The C2 operator can remotely migrate the victim to a new C2 server using command T=15, persisting the new server address to HKCU\Software\Kong\Client\Login\Permanent to survive process restarts.

Kong RAT implements a GetAsyncKeyState-based keylogger , logging keystrokes to C:\ProgramData\Kong\Keylogger\.

The active window is captured via GetForegroundWindow + GetWindowTextW on each polling cycle. When the foreground window changes, a timestamped header is written

Before establishing C2 connectivity, the malware checks the following registry key/value for previously installed modules to avoid redundant re-downloads HKCU\Software\Kong\Client\ClientVersion → LastHash

connects to ROOT\CIMV2 and executes the WMI query SELECT Caption FROM Win32_OperatingSystem , retrieving the victim's Windows version string

The remote module requires a valid C2 configuration parameter to activate - without it the module defaults to 127.0.0.1 and produces no observable malicious behavior in automated sandbox analyses.

Security product enumeration is performed via WMI (SELECT displayName FROM AntiVirusProduct against ROOT\SecurityCenter2), likely for victim profiling and informing post-exploitation decisions.

Kong RAT implements a GetAsyncKeyState-based keylogger , logging keystrokes to C:\ProgramData\Kong\Keylogger\.

Primary C2 communication uses TCP to x.x-x[.]icu:5947 ... with a custom binary protocol using "MPK1" ... as a packet header magic, LZ4 block compression, and a 4-byte little-endian length prefix per packet.

Kong RAT's C2 framework supports 16 confirmed command types enabling the operator to remotely execute shell commands, download and execute files, hot-plug DLL modules, migrate to a new C2 server, and enumerate installed applications.