{
	"id": "c9b5f037-761a-486b-8d98-3fae3857da41",
	"created_at": "2026-04-06T00:13:50.166344Z",
	"updated_at": "2026-04-10T03:37:40.62008Z",
	"deleted_at": null,
	"sha1_hash": "2f412bff822fcf5f1bbdf65e75d51c0f763ae6aa",
	"title": "BitRAT Disguised as Windows Product Key Verification Tool Being Distributed - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3637520,
	"plain_text": "BitRAT Disguised as Windows Product Key Verification Tool Being\r\nDistributed - ASEC\r\nBy ATCP\r\nPublished: 2022-03-15 · Archived: 2026-04-05 15:10:25 UTC\r\nThe ASEC analysis team has recently discovered BitRAT which is being distributed via webhards. Because the\r\nattacker disguised the malware as Windows 10 license verification tool from the development stage, users who\r\ndownload illegal crack tools from webhard and install it to verify Windows license are at risk of having BitRAT\r\ninstalled into their PC.\r\nThe following shows a post that was uploaded to webhard, one that harbors the malware. The title is [New][Quick\r\nInstall]Windows License Verification[One-click].\r\nhttps://asec.ahnlab.com/en/32781/\r\nPage 1 of 8\n\nA compressed file named ‘Program.zip’ is downloaded, and it is compressed and locked with a password ‘1234’.\r\nIt contains a Windows 10 license verification tool named ‘W10DigitalActivation.exe’.\r\n‘W10DigitalActivation.exe’ is a 7z SFX file that carries an actual verification tool called\r\n‘W10DigitalActivation.msi’ and the malware named W10DigitalActivation_Temp.msi. When the user double-clicks the file, it installs both files concurrently. As both the malware and the verification tool are run at the same\r\ntime, the user is tricked into thinking that the tool is running properly as shown below.\r\nUnlike its name, ‘W10DigitalActivation_Temp.msi’ is a downloader with exe extension that downloads additional\r\nmalware. When run, it connects to following C\u0026C servers it harbors internally, exchanging encrypted strings.\r\nAfterward, it decrypts the strings to ultimately acquire a download URL for the additional payload.\r\nhttps://asec.ahnlab.com/en/32781/\r\nPage 2 of 8\n\nThe downloader installs the malware into the Windows startup program folder and deletes itself. Normally, the\r\nfirst file that is installed is a downloader of the same kind, and the downloader run this way ultimately installs\r\nBitRAT into the path %TEMP% as ‘Software_Reporter_Tool.exe’.\r\nNote that this downloader is equipped with additional features and is not a simple program by any means. As\r\nshown in the figure below, one of its features uses a powershell command to add the Windows startup program\r\nfolder—where the downloader will be installed—as an exclusion path for Windows Defender, and adding the\r\nBitRAT process name ‘Software_Reporter_Tool.exe’ as an exclusion process for Windows Defender.\r\nSeeing how this malware uses webhard which is considered as the most-used file-sharing platform in Korea and\r\nincludes Korean characters in its code as shown in the figure below, it appears that the attacker is a Korean\r\nspeaker.\r\nhttps://asec.ahnlab.com/en/32781/\r\nPage 3 of 8\n\nThe malware that is ultimately installed is a RAT (Remote Access Trojan) malware called BitRAT. BitRAT has\r\nbeen in sale via a hacking forum since 2020 and is being continuously used by attackers.\r\nhttps://asec.ahnlab.com/en/32781/\r\nPage 4 of 8\n\nBecause BitRAT is a RAT malware, its attacker can gain control of the system infected with it. BitRAT not only\r\nprovides basic control features such as running process tasks, service tasks, file tasks, and remote commands, but\r\nalso provides extra options such as various info-stealing features, HVNC, remote desktop, coin mining, and\r\nproxies.\r\nThe following is the list of the features that BitRAT provides.\r\nhttps://asec.ahnlab.com/en/32781/\r\nPage 5 of 8\n\n1. Network Communication Method\r\n– Encrypted communication using TLS 1.2\r\n– Communication using Tor\r\n2. Basic Control\r\n– Process manager\r\n– Service manager\r\n– File manager\r\n– Windows manager\r\n– Software manager\r\n3. Information Theft\r\n– Keylogging\r\n– Clipboard logging\r\n– Webcam logging\r\n– Audio logging\r\n– Application (e.g. Web browsers) account credential theft\r\n4. Remote Control\r\n– Remote desktop\r\n– hVNC (Hidden Desktop)\r\n5. Proxy\r\n– SOCKS5 Proxy: port forwarding feature using UPnP\r\n– Reverse Proxy: SOCKS4 Proxy\r\n6. Coin Mining\r\n– XMRig CoinMiner\r\n7. etc.\r\n– DDoS attack\r\n– UAC Bypass\r\n– Windows Defender deactivation\r\nNote that BitRAT uses the revealed TinyNuke’s code, just like AveMaria. The following is a comparison of\r\nTinyNuke’s hVNC (routine related to Hidden Desktop) and BitRAT’s code.\r\nhttps://asec.ahnlab.com/en/32781/\r\nPage 6 of 8\n\nTinyNuke verifies and uses a signature string called ‘AVE_MARIA’ in Reverse SOCKS4 Proxy and Hidden\r\nDesktop feature. AveMaria adopted Reverse SOCKS4 Proxy feature from TinyNuke, and the name was given\r\nbased on the string. BitRAT, on the other hand, used Hidden Desktop feature, and the signature string is the same.\r\nNote that TinyNuke was used by the Kimsuky group in the past. Among myriad of features, only the Hidden\r\nDesktop feature was adopted and used.\r\n[ASEC Blog] VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group\r\n[ASEC Blog] AveMaria malware being distributed as spam mail\r\nAs shown in the examples above, the malware is being distributed actively via file-sharing websites such as\r\nKorean webhards. As such, caution is advised when running executables downloaded from a file-sharing website.\r\nIt is recommended for the users to download products from the official websites of developers.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.\r\n[File Detection]\r\n– Trojan/Win.MalPacked.C5007707 (2022.03.12.04)\r\n– Dropper/Win.BitRAT.C5012624 (2022.03.16.02)\r\n– Downloader/Win.Generic.C5012582 (2022.03.16.01)\r\n– Downloader/Win.Generic.C5012594 (2022.03.16.01)\r\n– Backdoor/Win.BitRAT.C5012593 (2022.03.16.01)\r\n– Backdoor/Win.BitRAT.C5012748 (2022.03.16.02)\r\n[Behavior Detection]\r\n– Malware/MDP.AutoRun.M1288\r\nMD5\r\nhttps://asec.ahnlab.com/en/32781/\r\nPage 7 of 8\n\n54ef1804c22f6b24a930552cd51a4ae2\r\n60ee7740c4b7542701180928ef6f0d53\r\n6befd2bd3005a0390153f643ba248e25\r\nb8c39c252aeb7c264607a053f368f6eb\r\nc4740d6a8fb6e17e8d2b21822c45863b\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//cothdesigns[.]com/\r\nhttp[:]//z59okz[.]duckdns[.]org[:]5223/\r\nhttps[:]//108[.]61[.]207[.]100/result/A_1146246[.]exe\r\nhttps[:]//108[.]61[.]207[.]100/v/V_5248849[.]exe\r\nhttps[:]//cothdesigns[.]com/1480313\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/32781/\r\nhttps://asec.ahnlab.com/en/32781/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/32781/"
	],
	"report_names": [
		"32781"
	],
	"threat_actors": [
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775792260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f412bff822fcf5f1bbdf65e75d51c0f763ae6aa.pdf",
		"text": "https://archive.orkl.eu/2f412bff822fcf5f1bbdf65e75d51c0f763ae6aa.txt",
		"img": "https://archive.orkl.eu/2f412bff822fcf5f1bbdf65e75d51c0f763ae6aa.jpg"
	}
}