{
	"id": "e733a466-6107-4b39-a2fe-3b30b8ab6d1a",
	"created_at": "2026-04-06T00:18:54.26525Z",
	"updated_at": "2026-04-10T13:12:34.86093Z",
	"deleted_at": null,
	"sha1_hash": "24cb47c17b86d95f894a44ad678f4fcd2c78581d",
	"title": "Technical Analysis of kkRAT | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1449793,
	"plain_text": "Technical Analysis of kkRAT | ThreatLabz\r\nBy Muhammed Irfan V A\r\nPublished: 2025-09-10 · Archived: 2026-04-05 17:26:23 UTC\r\nAttack chain\r\nIn early May 2025, ThreatLabz identified a malware campaign delivering multiple RATs as the final payload. The\r\nattack chain for this campaign is shown in the figure below. \r\nFigure 1: Attack chain for a malware campaign delivering several RATs.\r\nThe threat actor uses GitHub Pages to host phishing sites impersonating popular software installers. These\r\ninstaller packages are ZIP archives that contain a malicious executable file. The figure below highlights an\r\nexample phishing page used in the campaign.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 1 of 12\n\nFigure 2: Example phishing page impersonating Ding Talk that ultimately delivers various RATs.\r\nFirst stage\r\nDuring the initial stage of the campaign, the malware employs two distinct methods to identify sandbox\r\nenvironments and virtual machines (VMs):\r\nTime stability analysis \r\nUsing  QueryPerformanceCounter , the malware measures the time for a repetitive operation, compares the\r\naverage (expected 300 ms) to a threshold (0.0008), and identifies sandboxes/VMs if the deviation exceeds this\r\nlimit.\r\nHardware configuration \r\nThe malware assesses disk space (minimum 50 GB) and CPU cores (minimum two). If these thresholds aren’t\r\nmet, the malware initiates evasive actions, including altering the Process Environment Block (PEB) structure:\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 2 of 12\n\nProcessParameters-\u003eImagePathName and  ProcessParameters-\u003eCommandLine are altered to\r\nmimic  %WINDIR%\\explorer.exe .\r\nThe malware also traverses  InLoadOrderModuleList . If any entry’s  BaseDllName matches the current\r\nprocess name, both  BaseDllName and  FullDllName are rewritten to  %WINDIR%\\explorer.exe .\r\nThese modifications corrupt the final process snapshot taken by sandboxes and will result in the malware\r\nterminating execution.\r\nAfter completing the sandbox and VM checks, the malware performs the following anti-analysis/obfuscation\r\nmethods.\r\nAPI resolution: The malware dynamically loads required Windows API functions by performing single-byte XOR (key: 0x4) operations on stack strings.\r\nNext-stage file decryption: The malware applies single-byte XOR operations (key: 0x1) to extract\r\ndecryption keys for the next-stage files.\r\nMemory is allocated for next-stage shellcodes, which are decrypted, written, and directly executed by the first\r\nstage. All shellcodes utilized in the campaign employ pe_to_shellcode transformation logic. \r\nSecond stage\r\nTo bypass AV software and EDR systems, the malware employs several techniques. The first technique is\r\nverifying administrator privileges. If the malware does not have sufficient privileges, a message is displayed in\r\nMandarin prompting the user for elevated access and exits. If the malware has administrator privileges, the\r\nmalware enumerates all active network adapters and temporarily disables them, severing AV/EDR communication\r\nwith the corresponding vendor’s servers.\r\nFollowing this, the malware scans the system for the presence of specific AV and EDR processes predominantly\r\nassociated with China-based cybersecurity vendors. These vendors include:\r\n360 Total Security\r\nQQ电脑管家\r\nHeroBravo System Diagnostics suite\r\nKingsoft Internet Security\r\n360 Internet Security suite\r\nIf targeted processes are detected, the malware uses a known vulnerable driver ( RTCore64.sys ) to disable\r\nAV/EDR functionalities. This is achieved by comparing the name of the AV/EDR driver that registered each\r\ncallback. The complete list of targeted drivers can be found in the ThreatLabz GitHub repository.\r\nThe malware incorporates code borrowed from the RealBlindingEDR project to remove registered system\r\ncallbacks, targeting three specific types of callbacks for elimination:\r\nObRegister callback: Monitors, blocks, or modifies how the system creates and duplicates handles using\r\ncallback routines.\r\nMiniFilter callback: Allows minifilter drivers to filter specific file Input/Output (I/O) operations.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 3 of 12\n\nCmRegister callback: Monitors, blocks, or modifies Windows registry operations via callback routines.\r\nAfter disabling callbacks, the malware terminates and deletes files of specific AV/EDR processes at the user level.\r\nThe malware also creates a scheduled task to run with SYSTEM privileges to execute a batch script on every user\r\nlogon to ensure the processes are repeatedly killed.\r\nNext, the malware modifies registry keys associated with the 360 Total Security program:\r\nThe  NetCheck registry value is set to  0 in  HKLM\\SOFTWARE\\WOW6432Node\\360Safe\\360Scan (presumably\r\nto disable network checks).\r\nAdds random data to a null value name under the registry key located\r\nat  HKU\\360SPDM\\CC2FCASH\\speedmem2\\x\\b5e3891842b605bf7917ba84 .\r\nFollowing these registry changes, the malware re-enables the previously disabled network adapters to restore the\r\nsystem's network connectivity. Thereafter, the first-stage shellcode executes the third-stage shellcode, which\r\nfunctions as a downloader to facilitate the next phase of the attack.\r\nThird stage\r\nThe malware retrieves and executes a shellcode file named 2025.bin from a hardcoded URL by utilizing the\r\nEnumDateFormatsA API callback. The shellcode, heavily obfuscated with junk code, downloads a Base64-\r\nencoded file named output.log, which is decoded to reveal structured data for subsequent attack stages. An\r\nexample is shown below.\r\nFigure 3: Hexdump of the decoded data used to download various RATs. \r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 4 of 12\n\nThe decoded data is structured using the delimiters  0xA1 0xF9 that act as a field separator, dividing individual\r\nfields within a record, while  0xA1 0xF6 serves as a record terminator, marking the end of each record. The\r\ndecoded data consists of 62 records, each record starts with an index ranging from 0 to 61. In each record, the\r\nsecond field contains two URLs, and these URLs are used to download two archive files:\r\ntrx38.zip: When unzipped, trx38.zip includes a legitimate executable file and a malicious DLL.\r\n*.zip: (Where * represents a wildcard) This ZIP archive contains a file named longlq.cl, which holds the\r\nencrypted final payload.\r\nThe malware selects a record based on the last letter of the current process's filename. For example, if the filename\r\nwas setup.exe, the file p.zip would be downloaded. The malware then will create a shortcut for the legitimate\r\nexecutable extracted from trx38.zip, add this shortcut to the startup folder for persistence, and execute the\r\nlegitimate executable to sideload the malicious DLL.\r\nThe malicious DLL decrypts and executes the final payload from the file longlq.cl using a 6-byte XOR key at\r\noffset 0xD3000, with encrypted data at 0xD3006. The final payload of the campaign varies based on the second\r\nZIP archive that is downloaded. This campaign delivers three different RATs: ValleyRAT, FatalRAT, and kkRAT. \r\nFinal payload\r\nSince ValleyRAT and FatalRAT are already extensively documented, they will not be analyzed in this section.\r\nHowever, kkRAT is a previously unknown malware family that incorporates elements from both Ghost RAT and\r\nBig Bad Wolf. These shared similarities are outlined below:\r\nGhost RAT: kkRAT shares similarities with Ghost RAT’s network communication protocols, but\r\nintroduces an added layer of encryption applied after data compression. kkRAT also borrows several\r\nnetwork commands from Ghost RAT, such as COMMAND_ACTIVED, COMMAND_KEYBOARD, and\r\nCOMMAND_LIST_DRIVE.\r\nBig Bad Wolf: kkRAT adopts specific DLL exports from Big Bad Wolf’s primary plugin DLL, including\r\nDllShell and DllScreen.\r\nEncrypted configuration\r\nkkRAT’s configuration, such as the C2 server IP and port, version, and group identifier, are stored as encrypted\r\nstrings and sent in the registration message. A Python script for decrypting this configuration is available in the\r\nThreatLabz GitHub repository.\r\nDevice fingerprinting\r\nAfter establishing a socket connection, kkRAT gathers system information for device fingerprinting. The collected\r\ndata is sent to the C2 server in a registration message with the structure below.\r\nstruct REGISTRATIONINFO\r\n{\r\nBYTE Token; // 0x66 hardcoded value\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 5 of 12\n\nOSVERSIONINFOEXA OsVerInfoEx; // OS version information\r\nDWORD CPUClockMhz; // CPU frequency\r\nint CPUNumber; // Number of processors\r\nIN_ADDR IPAddress; // Host local IP\r\nchar HostName[50]; // Host name\r\nbool IsWebCam; // Is there a web camera connected?\r\nDWORD socketTime; // Time since the socket was established\r\nDWORD Speed; // Internet speed in mbps\r\nDWORD MemSize; // Total physical memory size\r\nDWORD DriverSize; // Hard disk capacity\r\nchar Group[50]; // RAT Group - set to Default\r\nchar UpTime[32]; // System uptime\r\nchar Version[32]; // RAT Version - set to Enterprise\r\nBOOL Is64; // 32-bit or 64-bit; 1 is 64 while 0 is 32\r\nchar AV[80]; // List of AV's installed\r\nDWORD isIdle; // Is idle for more than 3 min?\r\nchar TG[40]; // Is Telegram present on the system?\r\nchar WC[40]; // Is WeChat present on the system?\r\nchar QQ[80]; // QQ number\r\nBOOL IsAdmin;// Is Administrator\r\nchar UserName[50]; // Account username\r\n};\r\nNetwork communication protocol\r\nkkRAT's network communication protocol closely resembles that of Ghost RAT, with an added layer of encryption\r\napplied after data compression. Each packet exchanged between kkRAT and the C2 server is sent via TCP and\r\nfollows a specific structure, as illustrated in the figure below.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 6 of 12\n\nFigure 4: kkRAT packet structure.\r\nThe original data is first compressed using zlib and then encrypted using an XOR-based algorithm with a key\r\nembedded in the malware binary. The Python script provided in the ThreatLabz GitHub repository can be used to\r\ndecrypt the network data captured.\r\nPlugins\r\nkkRAT retrieves its main plugin and saves it on disk in an encrypted format. When a specific command calls for a\r\nplugin export, the encrypted plugin is read from disk, decrypted, loaded into memory, and the requested export is\r\nexecuted. The Python code in the ThreatLabz GitHub repository can be used to decrypt the encrypted plugin. The\r\nencryption algorithm is similar to the XOR-based algorithm used to protect network communications. \r\nThe table below outlines the plugins and exports for kkRAT.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 7 of 12\n\nPlugin Name Export Name Description\r\n Main Plugin\r\n( Plugin32.dll )\r\nDLLScreen\r\nProvides basic remote desktop screen management, primarily used\r\nfor screen capturing and simulating user inputs such as keyboard\r\nand mouse actions.\r\nDLLScreee\r\nAn extended version of  DLLScreen that includes additional\r\ncapabilities, such as retrieving and modifying clipboard data.\r\nDLLScreeh\r\nEnables concealed remote management through virtual desktops,\r\nwith added functionalities such as launching web browsers and\r\nterminating active processes.\r\nDllScreer\r\nFunctions as a view-only screen monitor, supporting only screen\r\nmonitoring without features such as input simulation.\r\nDllShell Facilitates remote command execution via a shell interface.\r\nDllWindows\r\nEnables management of windows on the screen, offering features\r\nsuch as listing, enabling, disabling, or closing windows.\r\nDllProgress\r\nProvides process management capabilities, including listing active\r\nprocesses and terminating them as needed.\r\nDllGetNetState\r\nGenerates a list of active network connections (similar to netstat),\r\nalong with their associated processes, and allows for the\r\ntermination of processes based on this data.\r\nDllApp\r\nOffers application management functionalities, including listing\r\ninstalled software and uninstalling selected programs.\r\nDllQDXGL Enumerates and retrieves the list of values stored in the autorun\r\nregistry key located\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 8 of 12\n\nPlugin Name Export Name Description\r\nat  HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run .\r\nfnProxy\r\nServes as a proxy, facilitating communication between a client and\r\na server by relaying the data.\r\nPlugProxy.dll ConnSocks\r\nFunctions as a proxy between a client and server, utilizing a Go\r\nbinary. It implements the SOCKS5 protocol using the go-socks5\r\nlibrary.\r\nTable 1: Plugins supported by kkRAT.\r\nNote that kkRAT's main plugin, Plugin32.dll, was uncovered alongside the source code of an older version\r\non VirusTotal, which served as the basis for the RAT's name.\r\nAfter receiving the registration message, the C2 server issues a series of commands for kkRAT to execute. kkRAT\r\nsupports an extensive range of commands, integrating functionality from its plugin DLL exports. While the known\r\ncommand IDs associated with Ghost RAT are excluded, the table below provides the command IDs for the plugin\r\nDLL exports discussed earlier and the new commands introduced in kkRAT.\r\nCommand\r\nID\r\nDescription\r\n0x4 Downloads the main plugin DLL ( Plugin32.dll ).\r\n0x8 Removes Internet Explorer browsing data.\r\n0x9 Removes Skype local storage data.\r\n0xA Removes Telegram  tdata .\r\n0xB Removes QQ browser user data.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 9 of 12\n\nCommand\r\nID\r\nDescription\r\n0xC Removes Firefox profiles data.\r\n0xD Removes Google Chrome user data.\r\n0xE Removes Sogou Explorer cache data.\r\n0xF Removes 360 Speed Browser user data.\r\n0x10 Removes 360 Secure Browser user data.\r\n0x15 Calls DllScreen export from  Plugin32.dll .\r\n0x1F Calls DllScreee export from  Plugin32.dll .\r\n0x29 Calls DlScreeh export from  Plugin32.dll .\r\n0x2A Calls DllScreer export from  Plugin32.dll .\r\n0x34 Calls DllWindows export from  Plugin32.dll .\r\n0x35 Calls DllProgress export from  Plugin32.dll .\r\n0x36 Calls DllGetNetState export from  Plugin32.dll .\r\n0x37 Calls DllApp export from  Plugin32.dll .\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 10 of 12\n\nCommand\r\nID\r\nDescription\r\n0x38 Calls DllQDXGL export from  Plugin32.dll .\r\n0x4A\r\nEstablishes persistence on the victim's system. The RAT server provides the sub-command ID\r\nand name needed for key/task as parameters to specify the method for persistence. The sub-commands are listed below:\r\nAchieve persistence using the startup folder.\r\nAchieve persistence using autorun key.\r\nAchieve persistence using logon script ( HKCU\\Environment\\UserInitMprLogonScript ).\r\nAchieve persistence using scheduled tasks.\r\n0x4B\r\nChecks for the presence of the GotoHTTP remote monitoring and management (RMM) tool on\r\nthe victim's system. If GotoHTTP is detected, the command retrieves the  name and  tmp\r\nvalues from the gotohttp.ini configuration file. If GotoHTTP is not present, the command\r\ninstalls the tool on the system. The GotoHTTP tool (file content) is provided by the C2 as a\r\nparameter for the command.\r\n0x4C\r\nVerifies whether the Sunlogin RMM tool is installed on the victim's system. If Sunlogin is\r\npresent, the command retrieves the  fastcode and  password values from the config.ini file.\r\nIf Sunlogin is not found, the command installs the tool on the system. The Sunlogin RMM tool\r\n(file content) is provided by the C2 as a parameter for the command.\r\n0x4D\r\nScans the clipboard for cryptocurrency wallet addresses associated with Tether, Bitcoin, or\r\nEthereum. Identified wallet addresses are replaced with the attacker’s wallet addresses. The\r\nattacker’s wallet addresses are provided as parameters for this command.\r\n0x4E Same as  0x4D .\r\n0x4F\r\nStops the replacement of Tether, Bitcoin, and Ethereum wallet addresses in the clipboard with\r\nthe attacker’s wallet addresses, effectively disabling the crypto hijacking behavior.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 11 of 12\n\nCommand\r\nID\r\nDescription\r\n0x51 Attempts to elevate privileges on the victim's system using the  runas verb once.\r\n0x55\r\nInvokes the  DllShell export from the  Plugin32.dll plugin to execute its associated\r\nfunctionality.\r\n0x5C\r\nCalls the  fnProxy export from the  Plugin32.dll plugin. This command supports multiple\r\nsub-commands, with the first parameter determining the specific operation to be executed. The\r\nsub-commands are listed below:\r\n0x5E: Establishes a TCP connection to a remote IP and port specified by the attacker.\r\nAdditional parameters include a unique ID to identify the TCP socket, the target remote\r\nIP address, and the target remote port number.\r\n0x5F: Terminates the TCP connection associated with the specified ID, which is\r\nprovided as an additional parameter.\r\n0x60: Sends data through the proxy. Additional parameters include the ID of the\r\nassociated TCP socket and the data to be transmitted.\r\n0x5D\r\nCalls the  ConnSocks export from the  PlugProxy.dll plugin. Along with this command, the\r\nDLL content of  PlugProxy.dll is provided as a parameter for this command.\r\nTable 2: Commands implemented by kkRAT.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-kkrat\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat"
	],
	"report_names": [
		"technical-analysis-kkrat"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434734,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24cb47c17b86d95f894a44ad678f4fcd2c78581d.pdf",
		"text": "https://archive.orkl.eu/24cb47c17b86d95f894a44ad678f4fcd2c78581d.txt",
		"img": "https://archive.orkl.eu/24cb47c17b86d95f894a44ad678f4fcd2c78581d.jpg"
	}
}