Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-02 11:31:22 UTC
Home > List all groups > List all tools > List all groups using tool KimJongRAT
 Tool: KimJongRAT
Names KimJongRAT
Category Malware
Type Backdoor, Info stealer, Credential stealer, Exfiltration
Description
(Palo Alto) As the original filename “cow_pass.fig” suggests, KimJongRAT seems to be
wholly used as a password extraction and information stealer tool by the threat actor, and
the collected data are exfiltrated to C2 with support from other malware such as
BabyShark or Gh0st RAT. The information that the KimJongRAT malware steals from
victim machines include email credentials from Microsoft Outlook and Mozilla
Thunderbird, login credentials for Google, Facebook, and Yahoo accounts from browsers
Internet Explorer, Chrome, Mozilla Firefox, and Yandex Browser.
Information
Malpedia AlienVault OTX Last change to this tool card: 24 April 2021
Download this tool card in JSON format
All groups using tool KimJongRAT
Changed Name Country Observed
APT groups
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1981c06c-cc55-4efe-99e1-ac799d04d3b6
Page 1 of 2

Kimsuky, Velvet Chollima 2012-Aug 2025
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1981c06c-cc55-4efe-99e1-ac799d04d3b6
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1981c06c-cc55-4efe-99e1-ac799d04d3b6
Page 2 of 2