{
	"id": "2efaa0d5-eeca-45fa-bf2a-63922b9b3ead",
	"created_at": "2026-04-06T00:22:32.890754Z",
	"updated_at": "2026-04-10T03:37:58.984823Z",
	"deleted_at": null,
	"sha1_hash": "1ec91c546374c767a8ece5a09167a875d4726bb3",
	"title": "Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1548530,
	"plain_text": "Exploring a New KimJongRAT Stealer Variant and Its PowerShell\r\nImplementation\r\nBy Dominik Reichel\r\nPublished: 2025-06-17 · Archived: 2026-04-05 22:46:48 UTC\r\nMalware\r\n 25 min read\r\nRelated Products\r\nExecutive Summary\r\nThis article provides a comprehensive analysis of two new variants of the KimJongRAT stealer. We combine our new\r\nresearch findings with existing knowledge to provide a comprehensive resource for understanding and combating these new\r\nKimJongRAT variants.\r\nThe KimJongRAT stealer was first described in 2013 by the Malware.lu CERT [PDF]. We documented another variant of\r\nthis family in 2019.\r\nOne of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and\r\nPowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an\r\nattacker-controlled content delivery network (CDN) account. The PE variant’s dropper deploys a loader, a decoy PDF and a\r\ntext file. The dropper in the PowerShell variant deploys a decoy PDF file along with a ZIP archive.\r\nThe loader downloads more malicious files, including the stealer component for KimJongRAT.\r\nThe PowerShell variant's dropper file deploys a decoy PDF file and a ZIP archive containing scripts that include the\r\nKimJongRAT PowerShell-based stealer and keylogger components.\r\nBoth variants are designed to gather and transfer victim information and browser data, including from crypto-wallet\r\nextensions, to the attacker’s server. The PE variant also collects FTP and email client information.\r\nThe infection sequence uses a multi-file approach and a legitimate CDN service to mask its malicious activities.\r\nPalo Alto Networks customers are better protected from the malware samples described in this article through Advanced\r\nWildFire, Advanced URL Filtering, Advanced DNS Security and Advanced Threat Prevention. Cortex XDR and XSIAM are\r\ndesigned to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using\r\nBehavioral Threat Protection and machine learning based on the Local Analysis module.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.\r\nRelated Unit 42 Topics PowerShell, Backdoor\r\nNew KimJongRAT PE Variant\r\nThis section details the new KimJongRAT variant that uses PE files as final payloads.\r\nThe initial file of the execution chain is an LNK file, but we do not yet know how attackers distribute these files. Figure 1\r\nshows the execution flow of the most recent KimJongRAT variant.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 1 of 28\n\nFigure 1. Malware execution chain of the latest KimJongRAT PE variant (icon sources).\r\nStep 1: When double-clicked, the initial LNK file downloads an HTML Application (HTA) file from an attacker-controlled CDN account, saves it to disk and runs it as shown in Figure 1\r\nStep 2: The HTA file drops three embedded files sys.dll, sexoffender.pdf and user.txt to disk\r\nSexoffender.pdf is a decoy PDF file opened by the victim's default PDF reader\r\nThe HTA file executes the sys.dll loader\r\nStep 3: The loader uses two payload URL strings in the user.txt file to retrieve two more files named main64.log and\r\nnet64.log\r\nThese LOG files are a new KimJongRAT stealer component and an orchestrator\r\nStep 4: The orchestrator sends the collected information and data to a command and control (C2) server and awaits\r\ncommands from the attackers\r\nTo more fully understand these steps, let’s examine the associated files.\r\nPE Variant Initial LNK File\r\nWhen double-clicking one of the initial LNK files, the file uses the Windows tool cmd.exe to change the current directory to\r\nthe Windows %temp% folder (shown in the Local base path and Command line arguments in Figure 2) . It then uses the\r\nWindows tool curl.exe to download an HTA file named pdf.hta from a legitimate CDN provider at cdn.glitch[.]global into\r\nthe %temp% directory. The attacker abuses this service to host the next and subsequent stages of the malware.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 2 of 28\n\nThe URL for the HTA file contains a parameter v with the string 1740535190239. This string is an epoch date that translates\r\nto Wednesday, February 26, 2025, 1:59 a.m. (GMT).\r\nFinally, the LNK runs the downloaded HTA file using the Windows tool mshta.exe as shown in Figure 2.\r\nFigure 2. Execution related LNK information as shown in LnkParse3.\r\nThis LNK file contains unique metadata that can be used to find additional samples. Figure 3 shows the drive serial number,\r\nWindows OS version and machine ID of the system where the LNK file was created. Additionally, there is a Korean\r\nlanguage string 응용 프로그램 (translated: application program) in the extra data section.\r\nFigure 3. Metadata from the LNK file as shown in LnkParse3.\r\nPE Variant First Stage HTA File\r\nThe LNK sample we analyzed downloaded and saved an HTA file named pdf.hta to the Windows %temp% directory. This\r\nHTA file contains obfuscated VBS code. Additionally, the HTA file has three embedded payloads appended after the code as\r\nBase64 text.\r\nFigure 4 shows an excerpt of the HTA file with the obfuscated VBS code and the start of the Base64-encoded payloads.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 3 of 28\n\nFigure 4. Excerpt of the pdf.hta file content as shown in Visual Studio Code.\r\nFigure 5 shows the deobfuscated version of this HTA file with the truncated Base64-encoded payloads.\r\nFigure 5. Deobfuscated version of pdf.hta as shown in Visual Studio Code.\r\nThe Base64 string for the first payload starting with JVBERi0xL is decoded through the Windows tool certutil.exe and\r\ndropped as the decoy PDF file sexoffender.pdf into the Windows %temp% directory. It is then opened by the default\r\napplication for PDF files.\r\nThe Base64 string starting with aHR0cHM6L for the second payload is decoded and dropped as user.txt to the\r\n%localappdata% folder.\r\nThe third Base64 string starting with TVqQAAMAAA is decoded and dropped as sys.dll, also to the %localappdata% folder.\r\nThis HTA file then runs sys.dll using rundll32.exe using sys.dll's only exported function named s.\r\nThe dropped user.txt is a text file containing URLs to the same CDN sub-directory that hosts the malicious HTA file, as\r\nshown in Figure 6.\r\nFigure 6. The content of user.txt as shown in Windows Notepad.\r\nThe last dropped file is named sys.dll, and it downloads the files from the URLs in user.txt and executes them.\r\nSecond Stage Loader sys.dll\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 4 of 28\n\nThe second stage loader named sys.dll is a 64-bit DLL internally named baby.dll. It has a single exported function named s\r\nthat contains all the malware's functionality.\r\nWhen this function is called with rundll32.exe, it first checks whether the malware is running on a virtual machine or\r\nsandbox as shown in Figure 7. If that is the case, the loader deletes itself and quits. If not, it creates a mutex named\r\nco_sys_co and starts a sub-thread.\r\nFigure 7. Decompiled source code of exported function s from sys.dll as shown in IDA Pro.\r\nThe sub-thread checks if any previously dropped payloads are present in the %localappdata%\\net directory. It uses this\r\ndirectory to store downloaded payloads from the attacker’s CDN stager URL.\r\nThe sys.dll loader expects any files downloaded to this folder to be encrypted data binaries with the first 16 bytes being the\r\nRC4 decryption key for the remaining bytes. When it finds a file in this folder, it decrypts, executes and finally deletes the\r\nfile.\r\nAfter creating the sub-thread, the malware reads the URLs from the %localappdata%\\user.txt file previously dropped by the\r\nHTA file. It appends the date and time in epoch format as ?v=[epoch time] to each URL string. Afterwards, it contacts the\r\nCDN service to download the RC4-encrypted file net64.log into the %localappdata%\\net folder to load it reflectively.\r\nThis net64.log file is the new KimJongRAT stealer component. It endlessly runs a loop that only exits if the file\r\n%localappdata%\\micro.log.zip is present. This file is created by net64.log and contains the victim’s stolen information and\r\ndata.\r\nWhen micro.log.zip is detected, the sys.dll loader downloads the second RC4-encrypted file main64.log from the CDN\r\nserver and stores it as notepad.log. As soon as notepad.log is written to %localappdata%\\net, the sub-thread reads, decrypts,\r\nexecutes and deletes it. This decrypted file is the main orchestrator that implements network, backdoor and information-stealing functionality.\r\nThird Stage Orchestrator and Backdoor\r\nThe downloaded payload main64.log is internally named NetworkService.dll and has a compilation timestamp of December\r\n3, 2024, 7:36 a.m. UTC. Figure 8 shows its PDB file path.\r\nFigure 8. PDB file path of net64.log as shown in EXE Explorer.\r\nAs noted in Figure 8, the software has a PDB file path that includes the string \\research\\Spyware\\Advanced\\Covaware. A\r\n2019 article by ESTsecurity describes a campaign named Operation Giant Baby where attackers used malware with the same\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 5 of 28\n\nname in activity relating to our BabyShark article from the same year.\r\nThis main64.log file is the main orchestrator that handles output created by the other downloaded file net64.log. While\r\nmain64.log is primarily responsible for the network communication and backdoor functionality, net64.log is responsible for\r\nstealing credentials from browser and email or FTP clients.\r\nThe main orchestrator has a single exported function named fool, which contains the majority of the malware’s functionality.\r\nThe DllMain entry point is only used for various initialization routines. These routines create multiple directories associated\r\nwith the base C2 URL and file paths that the malware uses later.\r\nAs a unique victim ID, main64.log uses the volume serial number. If the volume serial number cannot be obtained,\r\nmain64.log uses a combination of the computer and username for the victim ID. It encodes this alternative ID value as a\r\nBase64 string, as shown in Figure 9.\r\nFigure 9. Decompiled C2 base URL creation function from main64.log as shown in IDA Pro.\r\nHowever, this alternative ID is not used throughout the malware’s code and thus seems to be leftover code from earlier\r\nversions of this malware. After establishing the unique ID, main64.log calls the exported function fool before finally writing\r\nthe clipboard data into a file.\r\nThe exported function fool shown in Figure 10 starts four threads before infinitely looping through a sleep call.\r\nFigure 10. Decompiled C2 string creation function from main64.log as shown in IDA Pro.\r\nThese threads are named as follows:\r\nmain_thread\r\nclipboard_log_to_netkey_file\r\nkeylogger_log_window_title_and_keys\r\nkeylogger_flush_to_netkey_file\r\nThe first thread named main_thread shown below in Figure 11 implements the network, backdoor and information stealing\r\nfunctionality. The other three threads are dedicated to recording keystrokes, window titles and clipboard information.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 6 of 28\n\nFigure 11. Decompiled main_thread from main64.log as shown in IDA Pro.\r\nThe network communication is implemented in an infinite loop that uploads collected data and requests commands from the\r\nC2 server. This malware implements three methods to communicate with the C2 server. To upload data or files, it uses the\r\nHTTP POST method with multipart/form-data, which we will subsequently describe as HTTP POST multi, or application/x-www-form-urlencoded, which we will call HTTP POST app. To download data, the malware uses an HTTP GET request.\r\nFigure 12 shows the initial network capture where the stolen browser data and the system information are sent to the C2\r\nserver.\r\nFigure 12. Initial network communication with the C2 server as shown in Wireshark.\r\nAt first, the file micro.log.zip from the %localappdata% directory is copied into the %temp% directory as micro.log.zip_.\r\nThis file is then uploaded to the C2 server with an HTTP POST multi request and the hard-coded boundary string ----------\r\nsdfaffi3457839sfhjkaskl. Before it is uploaded as a value of the key file0, the ZIP archive is XORed with the key 0xFE.\r\nAdditionally, two keys val and id with the values delete and the volume serial number are sent to the C2 server. The former\r\nis most likely a note that the original file micro.log.zip is deleted after its copy gets uploaded, while the latter is used to\r\nassociate the ZIP archive to a specific victim.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 7 of 28\n\nThe HTTP POST multi method is always used to send file data, as is the same schema described above:\r\nKey: val, value: delete\r\nKey: id, value: \u003cUniqueVictimID\u003e\r\nKey: file0, value: \u003cXORedFileData\u003e (XOR key is always 0xFE)\r\nThe HTTP POST app method is either used to send encrypted data or to send the server-side delete command (further\r\ndescribed as HTTP POST app delete). This delete command is used on the server side to clear out the appropriate command\r\nor feature queue. The schema is as follows for data:\r\nKey: id, value: \u003cUniqueVictimID\u003e\r\nKey: nm, value: \u003cFeatureName\u003e\r\nKey: val, value: \u003cXORedFileData\u003e (XOR key is always 0xFE) or delete\r\nNext, the malware sends an HTTP GET request to the C2 URL ending with the victim's unique directory, which it creates\r\nfrom the volume serial number and the filename history.log_. If the file is not already on the C2 server, the malware\r\nperforms the following activities:\r\nCollecting various system information\r\nWriting it into a file named history.log in the %appdata% directory\r\nCreating a copy of it in the %temp% directory named history.log\r\nSending it to the C2 server using the HTTP POST multi method\r\nIt collects the following system information in history.log:\r\nHostname\r\nIP address\r\nComputer name\r\nWindows user account name\r\nDisk drive information (available drives, volume names, file system names, drive types)\r\nOperating system (version and product name)\r\nSystem type (32-bit or 64-bit)\r\nInternet Explorer version\r\nStart menu items\r\nCPU information\r\nThe initial communication sends the victim's data to the C2 server, and any additional actions from the C2 server are based\r\non that initial data. Table 1 shows other information that is periodically uploaded to the C2 server.\r\nCollected\r\nUser Data\r\nQueried C2 URL\r\nHTTP\r\nMethod\r\n(and\r\nfeature)\r\nCreated Local Files Comment\r\nSearch for\r\nfiles and\r\ndirectories\r\nin all\r\ndirectories\r\nbased on a\r\nlist of hard-coded file\r\nextensions\r\nand\r\nwildcards\r\nCheck file URL:\r\n\u003cC2Domain\u003e/\u003cUniqueVictimID\u003e/netlist.log_\r\nCheck\r\nfile\r\nURL:\r\nGET\r\nUpload\r\nfile:\r\nPOST\r\nmulti\r\nFile with information:\r\n%localappdata%\\netlist.log\r\nCopy of file with\r\ninformation:\r\n%temp%\\netlist.log_\r\nSearch\r\nfiles with\r\nthe\r\nextensions\r\n.hwp,\r\n.pdf,\r\n.doc,\r\n.docx,\r\n.xls,\r\n.xlsx,\r\n.zip, .rar\r\n.egg,\r\n.txt,\r\n.jpg,\r\n.png,\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 8 of 28\n\n.jpeg, .alz,\r\n.ldb, and\r\nfiles and\r\ndirectories\r\nwith the\r\nwildcards\r\n*wallet*\r\nand UTC--\r\n*\r\nUpload\r\nkeylogger\r\nand\r\nclipboard\r\ndata\r\nUpload file data: \u003cC2Domain\u003e\r\nUpload\r\nfile\r\ndata:\r\nPOST\r\napp\r\nFile with information:\r\n%localappdata%\\netkey\r\nThe\r\nuploaded\r\ndata is\r\nXORed\r\nwith 0xFE\r\nTable 1. List of collected user data that is periodically uploaded to the C2 server.\r\nTo receive instructions from the C2 server, the malware periodically sends HTTP requests through hard-coded URLs.\r\nAfterward, it deletes all files and data that it downloaded from the C2 server. Table 2 shows the implemented commands\r\ntogether with their URLs, HTTP methods and involved local files:\r\nCommand Description Queried C2 URL\r\nHTTP\r\nMethods\r\nCreated Local Files\r\nUpload a specific file to the\r\nC2 URL\r\nGet specified file:\r\n\u003cC2Domain\u003e/\u003cUniqueVictimID\u003e/out\r\nUpload file and delete queue:\r\n\u003cC2Domain\u003e\r\nGet\r\nspecified\r\nfile: GET\r\nUpload\r\nfile:\r\nPOST\r\nmulti\r\nDelete\r\nqueue:\r\nPOST app\r\ndelete\r\nCopy of specified file: %temp%\\\r\n\u003cSpecifiedFile\u003e\u003cRandomNumber\u003e\r\nT\r\nf\r\na\r\nu\r\nf\r\nX\r\nw\r\nDownload a file into a\r\nspecified directory\r\nGet file data and specified directory:\r\n\u003cC2Domain\u003e/\u003cUniqueVictimID\u003e/in\r\nDelete queue: \u003cC2Domain\u003e\r\nGet file\r\ndata and\r\nspecified\r\ndirectory:\r\nGET\r\nDelete\r\nqueue:\r\nPOST app\r\ndelete\r\nN/A\r\nT\r\nd\r\nf\r\nDownload a file into the\r\n%localappdata%\\net\r\ndirectory\r\nGet specified file URL:\r\n\u003cC2Domain\u003e/\u003cUniqueVictimID\u003e/cok\r\nDelete queue: \u003cC2Domain\u003e\r\nGet\r\nspecified\r\nfile URL:\r\nGET\r\nDelete\r\nqueue:\r\nN/A T\r\nd\r\nf\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 9 of 28\n\nPOST app\r\ndelete\r\nDownload a file into\r\n%localappdata%\\notepad.tmp\r\nCheck file URL:\r\n\u003cC2Domain\u003e/\u003cUniqueVictimID\u003e/tmp64\r\nDelete queue: \u003cC2Domain\u003e\r\nCheck file\r\nURL:\r\nGET\r\nDelete\r\nqueue:\r\nPOST app\r\ndelete\r\nDownloaded file:\r\n%localappdata%\\notepad.tmp\r\nRun a command-line\r\ncommand\r\nGet cmd-line command:\r\n\u003cC2Domain\u003e/\u003cUniqueVictimID\u003e/cmd\r\nDelete queue: \u003cC2Domain\u003e\r\nGet cmd-line\r\ncommand:\r\nGET\r\nDelete\r\nqueue:\r\nPOST app\r\ndelete\r\n-\r\nT\r\nR\r\nw\r\nf\r\nb\r\nt\r\nt\r\nr\r\nb\r\nSearch for files and\r\ndirectories in a specified\r\ndirectory based on a list of\r\nhard-coded file extensions\r\nand wildcards. Write\r\ninformation to a file and\r\nupload it.\r\nGet specified directory:\r\n\u003cC2Domain\u003e/\u003cUniqueVictimID\u003e/dir\r\nUpload file and delete queue:\r\n\u003cC2Domain\u003e\r\nGet\r\nspecified\r\ndirectory:\r\nGET\r\nUpload\r\nfile:\r\nPOST\r\nmulti\r\nDelete\r\nqueue:\r\nPOST app\r\ndelete\r\nFile with information:\r\n%localappdata%\\list.log\r\nCopy of file with information:\r\n%localappdata%\\list.log\u003cRandomNumber\u003e\r\nw\r\nf\r\nd\r\nw\r\nw\r\na\r\nTable 2. List of backdoor commands.\r\nThird Stage KimJongRAT Stealer\r\nThe other downloaded file net64.log is the main KimJongRAT stealer component. The decrypted file is internally named\r\ndwm.dll and has a compilation timestamp of December 15, 2024, 4:03 a.m. UTC. It has three exported functions\r\ninit_engine, main_engine and stop_engine. Only the first function contains all the functionality, while the latter two only\r\nredirect execution to the entry point DllMain, which is empty.\r\nWhen init_engine is executed, the malware first resolves a list of API functions using GetProcAddress(). All function strings\r\nare encoded by a simple substitution cipher where characters are changed to others according to a mapping table. The\r\nfollowing Python script contains the reconstructed algorithm and can be used for decoding these strings:\r\n1 import argparse\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 10 of 28\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\nclass KimJongRATTool:\r\nCHAR_MAPPING = {\r\n'!': '-', '#': ')', '$': ';', '%': '+', '\u0026': '=', '(': ':', ')': '#',\r\n'*': '_', '+': '%', ',': '/', '-': '!', '.': '?', '/': ',', ':': '(',\r\n';': '$', '\u003c': ']', '=': '\u0026', '\u003e': '^', '?': '.', '@': '}', '[': '{',\r\n']': '\u003c', '^': '\u003e', '_': '*', 'a': 'm', 'b': 'q', 'c': 'f', 'd': 'h',\r\n'e': 'x', 'f': 'c', 'g': 'l', 'h': 'd', 'i': 'p', 'j': 's', 'k': 't',\r\n'l': 'g', 'm': 'a', 'n': 'z', 'o': 'r', 'p': 'i', 'q': 'b', 'r': 'o',\r\n's': 'j', 't': 'k', 'u': 'y', 'v': 'w', 'w': 'v', 'x': 'e', 'y': 'u',\r\n'z': 'n', '{': '[', '}': '@'\r\n}\r\n@staticmethod\r\ndef map_string(encoded_string: str) -\u003e str:\r\nreturn ''.join(KimJongRATTool.CHAR_MAPPING.get(c.lower(), c).upper() if\r\nc.isupper() else KimJongRATTool.CHAR_MAPPING.get(c, c) for c in encoded_string)\r\ndef decode_string(self, encoded_string: str) -\u003e None:\r\nprint(f'Decoded string: {self.map_string(encoded_string)}')\r\ndef decode_strings(self, file_path: str) -\u003e None:\r\nwith open(file_path) as f:\r\nprint('Decoded strings:')\r\nfor line in f:\r\nprint(self.map_string(line.strip()))\r\ndef main():\r\nparser = argparse.ArgumentParser()\r\ngroup = parser.add_mutually_exclusive_group(required=True)\r\ngroup.add_argument('-f', '--file_path', type=str, help='(Absolute) File path with encoded strings.')\r\ngroup.add_argument('-s', '--encoded_string', type=str, help='Encoded string.')\r\nargs = parser.parse_args()\r\nkjrt = KimJongRATTool()\r\nif args.file_path:\r\nkjrt.decode_strings(args.file_path)\r\nelse:\r\nkjrt.decode_string(args.encoded_string)\r\nif __name__ == '__main__':\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 11 of 28\n\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\nmain()\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 12 of 28\n\n70\r\n71\r\nThe same cipher is used to encode other sensitive strings related to the stealer's functionality.\r\nBased on the list of decoded function strings, the stealer attempts to retrieve information from various popular browsers and\r\nFTP or email clients. Other sensitive strings related to the stealer functionality, like the browser extension ID, are encrypted\r\nby a simple XOR-based cipher.\r\nThe malware stores the stolen data in plain text and SQLite files in a directory %temp%\\[RandomName].tmp. An overview\r\nof the victim information is stored in the file %temp%\\[RandomName]\\micro.log. This file contains the following\r\ninformation:\r\nOperating system information\r\nCPU information\r\nProcess information\r\nStart menu programs\r\nWebsite/cookie/password information of supported browsers\r\nConfiguration and password information of supported email clients\r\nPassword information of supported FTP clients\r\nThe malware also searches all supported browsers for multiple cryptocurrency wallet extensions shown in Table 3.\r\nExtension ID Extension Name\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask\r\negjidjbpglichdcondbcbdnbeeppgdph Trust Wallet\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink\r\naholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet\r\nfhbohimaelbohpjbbldcngcnapndodjp BEW lite\r\nmcohilncbfahbmgdjkbpemcciiolgcge OKX Wallet\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\nejbalbakoplchlghecdalmeeeajnimhm MetaMask\r\npbpjkcldjiffchgbbndmhojiacbgflha OKX Wallet\r\nbhhhlbepdkbapadjdnnojkbgioiodbic Solflare Wallet\r\nTable 3. Searched for browser extensions with their corresponding IDs.\r\nThe extension IDs for each browser are stored in the file %temp%\\[RandomName]\\ext.log.\r\nAdditionally, the malware steals various SQLite database files for supported browsers found in each browser’s user data\r\ndirectory. For example, for Google Chrome, these files can be found in C:\\Users\\\r\n[UserName]\\AppData\\Local\\Google\\Chrome\\User Data\\Default for the default user. These database files contain detailed\r\ninformation about the user from browser features including bookmarks, history, saved passwords and installed extensions.\r\nThe malware searches for the following in the database files:\r\nCookies\r\nLogin data\r\nWeb data\r\nThese files are copied to the %temp%\\[RandomName].tmp directory and renamed by prepending the profile user and a\r\nbrowser indicator. The last file created in this directory contains the master encryption key derived from a browser’s Local\r\nState file. This key is needed to decrypt sensitive browser data, such as stored passwords or cookies.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 13 of 28\n\nFinally, these files are compressed using the PowerShell Compress-Archive command to %localappdata%\\micro.log.zip.\r\nThis file is then uploaded to the C2 server by the orchestrator.\r\nPrevious KimJongRAT PE Variants\r\nWe have also discovered other variants of this malware execution chain, dating back to at least August 2024. The first\r\nvariants deployed 32-bit DLL files as the final stealer and orchestrator payloads, which is different from the latest variant\r\nthat uses 64-bit DLL files. Also, the execution chain sometimes differs in the way that the second-stage loader drops the\r\ndecoy PDF, or whether it uses the decoy PDF at all.\r\nOther differences are that the initial LNK file does not use cmd.exe and curl.exe but instead powershell.exe with the Invoke-WebRequest command to download the next stage HTA dropper.\r\nNew KimJongRAT PowerShell Variant\r\nThis section discusses the latest variant of KimJongRAT, which uses a PowerShell information and crypto-wallet stealer as\r\nits final payload. It is very similar to the PE variant in its functionality but focuses on only stealing system and browser data.\r\nThis execution chain uses a variety of file types and is carried out in multiple stages. The initial file is an LNK file as seen in\r\nFigure 13, which illustrates the full execution chain.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 14 of 28\n\nFigure 13. Malware execution chain of the latest PowerShell variant (icon sources).\r\nStep 1: When double-clicked, the LNK file downloads an HTA file from an attacker-controlled CDN account to disk\r\nand runs it, as shown above in Figure 13\r\nStep 2: When executed, this HTA file drops an embedded decoy PDF and a ZIP archive to disk\r\nStep 3: The decoy file is opened by the default installed PDF reader, and then files from the ZIP archive are extracted\r\nand saved to disk\r\nStep 4: From those extracted files, a PowerShell file loads the stealer and keylogger and sets the runner VBS script\r\nfor persistence\r\nStep 5: The stealer sends the collected information and data to the C2 server and awaits commands from the\r\nattackers\r\nPowerShell Variant Initial LNK File\r\nAn example of an initial LNK file (SHA256 hash:\r\na66c25b1f0dea6e06a4c9f8c5f6ebba0f6c21bd3b9cc326a56702db30418f189) submitted to VirusTotal is named 성범죄자 신\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 15 of 28\n\n상정보 고지.pdf.lnk (translated from Korean: “Sex Offender Personal Information Notification”). This sample is almost\r\nidentical to the sample we reviewed in the PE malware chain. The only difference is that it downloads a different HTA file\r\nnamed sfmw.hta and uses a different value for the parameter v as shown in Figure 14.\r\nFigure 14. Execution related LNK data as shown in LnkParse3.\r\nThe LNK file’s metadata is identical to the one described in the latest PE malware execution chain.\r\nFirst Stage HTA File\r\nThe downloaded sfmw.hta file is dropped into the Windows %temp% directory. This file contains VBScript code,\r\nobfuscated with the same algorithm as the one in the PE variant. Unlike the PE variant, sfmw.hta only has two embedded\r\npayloads.\r\nFigure 15 shows an excerpt of this HTA file with the obfuscated code and one of the two Base64-encoded payloads.\r\nFigure 15. Excerpt of the sfmw.hta file content as shown in Visual Studio Code.\r\nFigure 16 shows the deobfuscated version of the HTA file with the truncated Base64-encoded payloads.\r\nFigure 16. Deobfuscated version of sfmw.hta as shown in Visual Studio Code.\r\nFigure 16 shows that the script within the HTA file uses findstr.exe with the /b parameter to locate each Base64-encoded\r\npayload within the file text. Then, the script uses certutil.exe to decode the Base64 strings.\r\nAt first, the embedded payload starting with the Base64-encoded data JVBERi0xLj is dropped as sexoffender.pdf (same\r\nfilename as in the PE variant) into the Windows %temp% directory. This decoy PDF file is then opened by the default\r\ninstalled PDF reader and seems to be a Korean form related to sex offenders, as shown in Figure 17.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 16 of 28\n\nFigure 17. PDF decoy document sexoffender.pdf as shown in Adobe PDF Reader.\r\nThe second payload from the HTA file is a Base64-encoded string starting with UEsDBBQAAA. This string is decoded and\r\ndropped as a ZIP archive named pipe.zip to the %localappdata% folder. The files from this archive are extracted, and the\r\nPowerShell file named 1.ps1 is run. The other unpacked file named 1.log is passed as an argument to the PowerShell file.\r\nFigure 18 shows that the pipe.zip archive contains four files.\r\nFigure 18. Files contained in pipe.zip as shown in 7-Zip.\r\nComponents of this malware were created in September 2024, as shown in the Modified, Created and Accessed dates of the\r\nfiles 1.ps1 and 1.vbs. The files 1.log and 2.log that contain the Base64-encoded PowerShell stealer were updated in March\r\n2025.\r\nTable 4 shows the names and SHA256 hashes of these files.\r\nFilename Hash\r\n1.log ab8862628584aa429fe7614d1c674bbdf324fa2668c4d3c94670cf6b6db597f6\r\n1.ps1 97d1bd607b4dc00c356dd873cd4ac309e98f2bb17ae9a6791fc0a88bc056195a\r\n1.vbs f73164bd4d2a475f79fb7d0806cfc3ddb510015f9161e7dce537d90956c11393\r\n2.log 3589c871b56cf76ce28c6be914b206afe977ec13b0894f56e05c5772a3c7e495\r\nTable 4. Files contained in pipe.zip.\r\nSecond Stage PowerShell Stealer\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 17 of 28\n\nThe PowerShell file 1.ps1 shown in Figure 18 is a simple loader that decodes and runs the Base64-encoded file 1.log that is\r\npassed as an argument. It executes the PowerShell code with the Invoke-Expression alias iex as shown in Figure 19.\r\nFigure 19. PowerShell code of 1.ps1 as shown in Visual Studio Code.\r\nThe decoded script in 1.log is a PowerShell stealer with backdoor functionality. This malware can be logically divided into\r\nthree parts:\r\nHeader\r\nMalware functionality\r\nMain function logic\r\nThe header defines several variables and performs a simple anti-VM check as shown in Figure 20.\r\nFigure 20. Variable definitions and anti-VM check of the PowerShell stealer as shown in Visual Studio Code.\r\nThe header part creates a new directory in the Windows %temp% folder named after the system’s UUID retrieved from the\r\nWMI ComputerSystemProduct class, and it defines a few path variables and the C2 URL. Additionally, this part checks\r\nwhether the victim host is a VMware virtual machine based on the UUID serial number value. If it is a VMware system, the\r\nmalware deletes itself and then exits. However, this anti-VM check is flawed, as the retrieved UUID does not contain any\r\nVM-related strings in comparison to other fields of the same WMI class.\r\nThe second part of the malware is its functionality. This part consists of multiple functions, shown in Figure 21.\r\nFigure 21. Folded functions of the PowerShell stealer as shown in Visual Studio Code.\r\nTable 5 shows an overview of these functions.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 18 of 28\n\nFunction Name Description\r\nUploadFile\r\nUploads a file from a specified path to a provided URL, appending “\u0026ap=1” to the URL after\r\nthe first of each chunk. It also has an optional tag string parameter, which is used to create a\r\nunique filename along with a random number.\r\nUnprotect-Data\r\nTakes a Base64-encoded encrypted string, decodes it and decrypts the resulting data using the\r\ncurrent user's data protection scope. It then writes the decrypted data to a file at the specified\r\npath.\r\nGetExWFile Explained in more detail below.\r\nGetBrowserData Explained in more detail below.\r\nInit\r\nCollects comprehensive system information, including operating system, CPU, disk, volume,\r\nnetwork adapter details, running processes and installed software. It then writes this information\r\nto a text file info.txt located at $tempPath\\$id.\r\nDownloadFile Downloads a file from a specified URL and saves it to a specified file path.\r\nCreateFileList Described in more detail below.\r\nRegisterTask Described in more detail below.\r\nSend\r\nCompresses a specified directory into a ZIP archive, which it then renames to init.dat and\r\nconstructs a URL by appending the BIOS ID to the C2 base URL. It then uploads the init.dat file\r\nto this URL and, if successful, deletes the contents of the specified directory and the init.dat file.\r\nGet-ShortcutTargetPathRetrieves the target path of a specified Windows shortcut by creating a COM object of\r\nWScript.Shell and using its CreateShortcut method.\r\nRecentFiles\r\nRetrieves the target paths of all recent files (shortcuts) in the user's Windows account and\r\nappends them to a text file recent.txt.\r\nWork Described in more detail below.\r\nTable 5. Overview of the PowerShell functions used in the stealer.\r\nThe GetBrowserData function is designed to extract various types of data from multiple browsers, including Edge, Chrome,\r\nNaver Whale and Firefox. This function uses another function named GetExWFile to manage specific data associated with\r\ncryptocurrency wallet browser extensions. Figure 22 shows an excerpt of the GetBrowserData function. This excerpt\r\nindicates the malware is still in development with many lines of code commented out.\r\nFigure 22. GetBrowserData function as shown in Visual Studio Code.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 19 of 28\n\nDuring the data extraction process, the GetBrowserData function uses three hash tables to map specific extension IDs to\r\ntheir corresponding names. Table 6 shows all hashes with their corresponding extensions.\r\nExtension ID Extension Name\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask\r\negjidjbpglichdcondbcbdnbeeppgdph Trust Wallet\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink\r\naholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet\r\nfhbohimaelbohpjbbldcngcnapndodjp BEW lite\r\nmcohilncbfahbmgdjkbpemcciiolgcge OKX Wallet\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\nejbalbakoplchlghecdalmeeeajnimhm MetaMask\r\npbpjkcldjiffchgbbndmhojiacbgflha OKX Wallet\r\nopfgelmcmbiajamepnmloijbpoleiama Rainbow\r\nphkbamefinggmakgklpkljjmgibohnba Pontem Crypto Wallet\r\ndmkamcknogkgcdfhhbddcghachkejeap Keplr\r\nnphplpgoakhhjchkkhmiggakijnkhfnd TON Wallet\r\njbppfhkifinbpinekbahmdomhlaidhfm iWallet Pro\r\naiifbnbfobpmeekipheeijimdpnlpgpp Station Wallet\r\nbhhhlbepdkbapadjdnnojkbgioiodbic Solflare Wallet\r\njblndlipeogpafnldhgmapagcccfchpi Kaika Wallet\r\nfpkhgmpbidmiogeglndfbkegfdlnajnf Cosmostation Wallet\r\nonhogfjeacnfoofkfgppdlbmlmnplgbn SubWallet\r\npdliaogehgdbhbnmkklieghmmjkpigpa Bybit Wallet\r\nacmacodkjbdgmoleebolmdjonilkdbch Rabby Wallet\r\naflkmfhebedbjioipglgcbcmnbpgliof Backpack\r\nfnjhmkhhmkbjkkabndcnnogagogbneec Ronin Wallet\r\nppbibelpcjmhbdihakflkdcoccbgbkpo UniSat Wallet\r\nanokgmphncpekkhclmingpimjmcooifb Compass Wallet\r\ndlcobpjiigpikoobohmabehhmhfoodbb Argent X Starknet Wallet\r\nefbglgofoippbgcjepnhiblaibcnclgk Martian Aptos \u0026 Sui Wallet\r\nejjladinnckdgjemekebdpeokbikhfci Petra Aptos Wallet\r\nfcfcfllfndlomdhbehjjcoimbgofdncg Leap Cosmos Wallet\r\njnlgamecbpmbajjfhmmmlhejkemejdma Braavos Starknet Wallet\r\nfijngjgcjhjmmpcmkeiomlglpeiijkld Talisman Wallet\r\nmkpegjkblkkefacfnmkajcjmabijhclg Magic Eden Wallet\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 20 of 28\n\naeachknmefphepccionboohckonoeemg Coin98 Wallet\r\nidnnbdplmphpflfnlkomgpfbpcgelopg XVerse Wallet\r\ndmkamcknogkgcdfhhbddcghachkejeap Keplr\r\nnnpmfplkfogfpmcngplhnbdnnilmcdcg Uniswap\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\nopcgpfmipidbgpenhmajoajpbobppdil Sui Wallet\r\nhnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet\r\nkkpllkodjeloidieedojogacfhpaihoh Enkrypt\r\nTable 6. Searched for browser extensions with their corresponding IDs.\r\nThe GetExWFile function retrieves files associated with these extensions, based on the specific handling procedures defined\r\nfor each of the hash tables. The function begins by attempting to retrieve the encrypted master key from the local user's data\r\nfor each browser.\r\nIf the browser process is running, it halts the process to avoid file access conflicts. Then, it navigates through all user\r\nprofiles for each browser within the User Data directory. For every user profile, it duplicates various data types, such as\r\nLogin Data and Bookmarks, to a new location.\r\nFor Edge, Chrome and Naver Whale, the GetExWFile function processes data related to browser extensions. It receives the\r\nbrowser's name, the profile path and the profile name as arguments. After it duplicates the necessary data, the function\r\nenumerates all extensions installed for the user profile and appends this list to a text file named extensions.txt. If the browser\r\nprocess was initially running, this function restarts the process once it has copied all the data.\r\nFor Firefox, the function specifically copies certain files (key4.db, key3.db, cookies.sqlite, logins.json) associated with each\r\nuser profile.\r\nThe CreateFileList function scans all file system drives on the system, specifically targeting the Users directory on the C:\\\r\ndrive. It searches for files with extensions shown in Table 7.\r\nExtensions File Association\r\n.doc, .docx, .xls, .xlsx Microsoft Office\r\n.hwp, .hwpx Hancom Office\r\n.txt, .csv, .pdf, .log Text related\r\n.jpg, .jpeg, .png Images\r\n.rar, .zip, .alz Archives\r\n.ldb Microsoft Access lock\r\n.eml Email\r\nTable 7. List of files with their extensions that the stealer is looking for.\r\nAdditionally, the CreateFileList function searches for any files matching the name patterns of various cryptocurrency-related\r\nterms and names as shown in Figure 23.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 21 of 28\n\nFigure 23. CreateFileList function as shown in Visual Studio Code.\r\nAll matching files are then written into a text file named FileList.txt.\r\nThe RegisterTask function shown in Figure 24 creates an entry in the Windows registry under\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key for persistence. For this, it creates an entry named\r\nWindowsSecurityCheck and uses the file path to 1.vbs previously dropped from the ZIP archive.\r\nFigure 24. RegisterTask function as shown in Visual Studio Code.\r\nA commented-out code line in 1.ps1 (see Figure 24, line 409) indicates it has run 1.log directly in the malware code at some\r\npoint. This functionality has been outsourced to the external file 1.vbs, which contains VBScript code obfuscated by the\r\nsame algorithm as for all other files. Figure 25 below shows its deobfuscated version.\r\nFigure 25. VBScript code of 1.vbs as shown in Visual Studio Code.\r\nThe last function Work continuously interacts with the C2 server, cycling through a set of operations as shown in Figure 26.\r\nThis function is similar to the procedure of the PE variant. It periodically uploads the collected data and provides the\r\nattacker with backdoor functionality. This includes uploading any additional files to the C2 server or downloading and\r\nrunning additional PowerShell payloads to the victim’s system.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 22 of 28\n\nFigure 26. Excerpt of the Work function as shown in Visual Studio Code.\r\nThe control flow is as follows:\r\n1. The function is initiated by pausing for 600 seconds.\r\n2. It then constructs a URL \u003cC2URL\u003e?id=\u003cUUID\u003e\u0026ap=1 to upload a file named k.log to the C2 server. The\r\nkeylogger module creates this file.\r\n3. After the upload, the function deletes the file k.log from the local machine.\r\n4. It downloads a string from a server URL \u003cC2URL\u003e?id/rd and splits it into lines. For each line, which is a provided\r\nfile path, it constructs a URL \u003cC2URL\u003e?id=\u003cUUID\u003e and uploads the file to the server. Afterwards, it sends a GET\r\nrequest to a URL \u003cC2URL\u003e?id=\u003cUUID\u003e\u0026del=rd to delete the read string from the server.\r\n5. Next, it downloads a string from another server URL \u003cC2URL\u003e?id/wr and splits it into lines. For each line, it\r\nextracts the filename, constructs a URL \u003cC2URL\u003e?id=\u003cUUID\u003e/\u003cFileName\u003e and downloads this file from the\r\nserver to the victim’s system. It then sends a GET request to a URL \u003cC2URL\u003e?id=\u003cUUID\u003e\u0026del=\u003cFileName\u003e to\r\ndelete the file from the server.\r\n6. It downloads a string from a C2 server URL \u003cC2URL\u003e?id/cm and executes the string as a command using Invoke-Expression. This string can be any PowerShell code but is likely used to run additional payloads dropped previously.\r\nAfter execution, it sends a GET request to a URL \u003cC2URL\u003e?id=\u003cUUID\u003e\u0026del=cm to delete the string on the server.\r\n7. The function repeats this entire process indefinitely.\r\nDuring our analysis of this malware, we did not observe any data returned from the C2 server.\r\nThe last of the three parts of the stealer’s code is the main function logic shown in Figure 27.\r\nFigure 27. Main function logic as shown in Visual Studio Code.\r\nFirst, this section creates the malware persistence in the registry and then collects system information and browser data.\r\nNext, it runs the file 2.log using the PowerShell loader script 1.ps1 before it finally sends all data to the C2 server and waits\r\nfor the attacker’s commands.\r\nThe file 2.log is a keylogger module that captures and records keystrokes, window titles and clipboard content as shown in\r\nFigure 28. This module writes the recorded data into a log file named k.log, which is uploaded to the C2 server in the Work\r\nfunction.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 23 of 28\n\nFigure 28. Base64-decoded keylogger code of 2.log as shown in Visual Studio Code.\r\nPrevious Version of KimJongRAT PowerShell Variant\r\nWe’ve found a previous version of the PowerShell variant that only differs slightly from the most recent one. The main\r\ndifferences are in the PowerShell script in the stealer.\r\nThe initial LNK file downloads an HTA file named prevenue.hta from an attacker-controlled cdn.glitch[.]global URL. The\r\nURL to the HTA file contains the value 1742020326408 for the parameter v. This value is the time in epoch format for\r\nSaturday, March 15, 2025, 6:32 a.m. (GMT). The LNK file’s metadata is identical to the one used in the most recent version.\r\nThe downloaded HTA file named prevenue.hta is almost identical to the HTA file used in the most recent version. The only\r\ndifferences are the embedded decoy PDF file dropped as revenue.pdf and the embedded ZIP archive containing a previous\r\nversion of the PowerShell stealer.\r\nThe decoy PDF file shown in Figure 29 seems to be a tax revenue-related document of a person from the South Korean city\r\nof Sejong.\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 24 of 28\n\nFigure 29. PDF decoy document revenue.pdf as shown in Adobe PDF Reader.\r\nFigure 30 shows the contents of the ZIP archive again dropped as pipe.zip.\r\nFigure 30. Files contained in pipe.zip as shown in 7-Zip.\r\nThe only files that differ are 1.log, which contains Base64-encoded text for the PowerShell stealer, and 2.log, which contains\r\nBase64-encoded text for the keylogger module. The PowerShell stealer is an older version that uses the system’s BIOS serial\r\nnumber instead of the UUID, among other minor differences. The keylogger module is also an older version that uses the\r\nBIOS serial number.\r\nConclusion\r\nSince it first emerged in 2019, the KimJongRAT stealer has evolved, adapting to the changing cybersecurity landscape. Our\r\nprevious article highlighted the older variants of this malicious tool, and this article delves deeper into its latest incarnations.\r\nOne variant uses a PE file, and another is a PowerShell implementation. This adaptability not only showcases the persistent\r\nthreat posed by such malware but also underscores its developers' commitment to updating and expanding its capabilities.\r\nThis new analysis reveals the PowerShell variant's special focus on cryptocurrency, as it searches for an extensive list of\r\nbrowser wallet extensions.\r\nThe continued development and deployment of KimJongRAT, featuring changing techniques such as using a legitimate\r\nCDN server to disguise its distribution, demonstrates a clear and ongoing threat. Our comprehensive examination of these\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 25 of 28\n\nnew variants provides crucial insights into their operation, aiding in the ongoing efforts to detect, neutralize and mitigate\r\ntheir effects.\r\nPalo Alto Networks customers are better protected from the threats described in this article in the following ways:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light\r\nof the IoCs shared in this research\r\nAdvanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this\r\nactivity as malicious\r\nAdvanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.\r\nCortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the\r\nexecution of unknown malware using Behavioral Threat Protection and machine learning based on the Local\r\nAnalysis module.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use\r\nthis intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn\r\nmore about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Hashes of Initial LNK Files\r\na66c25b1f0dea6e06a4c9f8c5f6ebba0f6c21bd3b9cc326a56702db30418f189\r\n28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1\r\n3b0a3bd5b790e5f130e7819550613b7e0194a3475f553285a1b7dc18ecca9d02\r\n8a000aa43c17250dd02f842bc2ab37e47dd8d68da0d59753943df8b37004b701\r\nb90b2d992b41d146e70b775e2bc0430b9f7fb0ed0cd285c59daea92c2fc6af0b\r\nd92b858d691c84b4e3752fdd46b5673fbd6b5af101a7111c1d8756c90271b732\r\nbe080777332ad1186fb8547a6a354b2beba62f2a24537eb7b79e849f084a95be\r\nSHA256 Hashes of First Stage HTA Files\r\n02783530bbd8416ebc82ab1eb5bbe81d5d87731d24c6ff6a8e12139a5fe33cee\r\n3c2ea04090ad8c28116c42a9a2be5b240f135ac184e5a2c121b4eb311a7bf075\r\n9c9136fc8a279ce395997dd42c075e265c6daec14b13bbe4237a4178769d270e\r\n9bfbf7618a2c5270d552f4deb69b56082cc7723433a1517678863363cb800161\r\n6347d70b73e1cabadf8af8602b22a8220ed5b7298dbc15f16eb7dd493d6c6a78\r\nb7dad38a099947612fcc42c50f4ba1708af969a3222b3345bdff35323a41974d\r\nbcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234\r\n45980cc8afb4e1b3738130d0855bb608530eef6731c5116fd053ac6e04159725\r\n7a37e2d6dc941386d1f300bac48056030f37c950bcd441d83eca708d2beab939\r\nSHA256 Hashes of Second Stage Loader Files (baby.dll)\r\nf4d9547269e0cd7a0df97e394f688e0eb00b31965abd5e6ad67d373a7dc58f3b\r\n7a9f4ca13aed4d6d8ba430bc2b2f5ac2e4f9c7b5de2f5d2ba5aada211059da73\r\nd7a61ab1b1eadd3b34386ec2a96324195ec25cd71fe4e5d9a8f993a6bd52eb92\r\n945e4f78196ef3a5548996a8d09e4220b779a2e78d40a86d64f233f7908550e6\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 26 of 28\n\n5a18a29791cfb18767a43bebb61f923e64be7988235213678514007174f60b3e\r\n4b87b775cdb265ecd872a71be810d7816d0d8b54663b3c536862db098874f288\r\n8b0b62a31b348c5a2337ee69cfd3f68a427466539484f55f1cd2910237b59700\r\n9e4e45e8f12db94997767bd3899968b9bc147bf08c062d3caea7f0864a67ea2c\r\nSHA256 Hashes of KimJongRAT Orchestrator Files (NetworkService.dll)\r\n85be5cc01f0e0127a26dceba76571a94335d00d490e5391ccef72e115c3301b3\r\nbdb272189a7cdcf166fce130d58b794b242c582032f19369166b3d4cfdc0902c\r\n2ba3397cba28af1a929403910035b78bf946acbafe9e186ac329b55086fe7703\r\naccf50d769408253bf9a7da378228debce7c8f6d60fb76da48196fe42cacedf3\r\nSHA256 Hashes of KimJongRAT Stealer Files (dwm.dll, UPX packed)\r\n96df4f9cb5d9cacd6e3b947c61af9b8317194b1285936ce103f155e082290381\r\nc356cd9fea07353a0ee4dfd4652bf79111b70790e7ed63df6b31d7ec2f5953d5\r\n5097553dff2a2da4f16b80a346fe543422b22d262e0c40e187b345afbcc7d41a\r\nef0ce406fa722d30bfa094c660e81ed4a72ff8c75a629081293f4a86e0e587c2\r\nSHA256 Hash of PowerShell Loader File\r\n97d1bd607b4dc00c356dd873cd4ac309e98f2bb17ae9a6791fc0a88bc056195a\r\nSHA256 Hashes of PowerShell Stealer Files\r\nb103190c647ddd7d16766ee5af19e265f0e15d57e91a07b2a866f5b18178581c\r\neb68ed54e543c18070e5cc93a27db4a508d79016c09e28a47260ca080110328f\r\nSHA256 Hashes of PowerShell Keylogger Files\r\n3c6476411d214d40d0cc43241f63e933f5a77991939de158df40d84d04b7aa78\r\n4e45009f5b582ca404b197d28805e363a537856b55e39c5c806fcf05acd928ff\r\nSHA256 Hash of Persistence VBS File\r\nf73164bd4d2a475f79fb7d0806cfc3ddb510015f9161e7dce537d90956c11393\r\nCDN Stager (Base) URLs\r\ncdn.glitch[.]global/2eefa6a0-44ff-4979-9a9c-689be652996d/\r\ncdn.glitch[.]global/17443dac-272c-421c-80ac-53a3695ede0e/\r\ncdn.glitch[.]global/c97fe797-45c1-473b-a2f8-3c0c8bb431af/\r\ncdn.glitch[.]global/59e3786e-8284-4f16-8844-134b12e58b6f/\r\ncdn.glitch[.]global/4ab4f138-6f66-4b39-a7dc-9d4843dcf34f/\r\nC2 (Base) URLs\r\n131.153.13[.]235/sp/\r\n131.153.13[.]235/service/\r\nsecservice.ddns[.]net/service2/\r\nsrvdown.ddns[.]net/service3/\r\nAdditional Resources\r\nNew BabyShark Malware Targets U.S. National Security Think Tanks - Palo Alto Networks Unit 42\r\nBabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat - Palo Alto Networks Unit 42\r\nKimJongRAT/stealer malware analysis [PDF] - Malware.lu CERT\r\nSpecial mission 'Operation Giant Baby', approaching as a huge threat - ESTsecurity\r\nTable of Contents\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 27 of 28\n\nExecutive Summary\r\nNew KimJongRAT PE Variant\r\nPE Variant Initial LNK File\r\nPE Variant First Stage HTA File\r\nSecond Stage Loader sys.dll\r\nThird Stage Orchestrator and Backdoor\r\nThird Stage KimJongRAT Stealer\r\nPrevious KimJongRAT PE Variants\r\nNew KimJongRAT PowerShell Variant\r\nPowerShell Variant Initial LNK File\r\nFirst Stage HTA File\r\nSecond Stage PowerShell Stealer\r\nPrevious Version of KimJongRAT PowerShell Variant\r\nConclusion\r\nIndicators of Compromise\r\nSHA256 Hashes of Initial LNK Files\r\nSHA256 Hashes of First Stage HTA Files\r\nSHA256 Hashes of Second Stage Loader Files (baby.dll)\r\nSHA256 Hashes of KimJongRAT Orchestrator Files (NetworkService.dll)\r\nSHA256 Hashes of KimJongRAT Stealer Files (dwm.dll, UPX packed)\r\nSHA256 Hash of PowerShell Loader File\r\nSHA256 Hashes of PowerShell Stealer Files\r\nSHA256 Hashes of PowerShell Keylogger Files\r\nSHA256 Hash of Persistence VBS File\r\nCDN Stager (Base) URLs\r\nC2 (Base) URLs\r\nAdditional Resources\r\nRelated Articles\r\nWeaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure\r\nAnalyzing the Current State of AI Use in Malware\r\nSuspected China-Based Espionage Operation Against Military Targets in Southeast Asia\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nhttps://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/\r\nPage 28 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/"
	],
	"report_names": [
		"kimjongrat-stealer-variant-powershell"
	],
	"threat_actors": [
		{
			"id": "63883709-27b5-4b65-9aac-c782780fbb28",
			"created_at": "2026-04-10T02:00:03.996704Z",
			"updated_at": "2026-04-10T02:00:03.996704Z",
			"deleted_at": null,
			"main_name": "TeamPCP",
			"aliases": [],
			"source_name": "MISPGALAXY:TeamPCP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434952,
	"ts_updated_at": 1775792278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ec91c546374c767a8ece5a09167a875d4726bb3.pdf",
		"text": "https://archive.orkl.eu/1ec91c546374c767a8ece5a09167a875d4726bb3.txt",
		"img": "https://archive.orkl.eu/1ec91c546374c767a8ece5a09167a875d4726bb3.jpg"
	}
}