{
	"id": "eeba6719-372a-4731-bb1c-6a9d0a275696",
	"created_at": "2026-04-06T00:21:42.827334Z",
	"updated_at": "2026-04-10T03:20:54.493866Z",
	"deleted_at": null,
	"sha1_hash": "d6d15884ffe1cb1adb337a838a75723dde268800",
	"title": "Klingon RAT Holding on for Dear Life",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7075331,
	"plain_text": "Klingon RAT Holding on for Dear Life\r\nBy Ryan Robinson\r\nPublished: 2021-06-17 · Archived: 2026-04-05 15:02:51 UTC\r\nWith more malware written in Golang than ever before, the threat from Go-based Remote Access Trojans (RATs)\r\nhas never been higher. Not only has the number of Go malware increased but also the sophistication of these\r\nthreats. This is a technical analysis of an advanced RAT written in Go that we are calling Klingon RAT. The RAT\r\nis well-featured and resilient due to its multiple methods of persistence and privilege escalation. It was\r\ndetermined that the RAT is being used by cybercriminals for financial gain. It is important to stay on top of this\r\nthreat as it will degrade Antivirus security through killing targeted processes and hiding communications through\r\nencrypted channels.\r\nTechnical Analysis\r\nWhen searching our various hunting platforms for malware one particular sample caught our eye. This Go sample,\r\nactive since at least 2019, was flagged as malicious but mostly unique code by our platform. It is not common to\r\nfind RATs with very few code reuse. Threat actors reuse code all the time to expedite malware development. Since\r\nit is rare to see a RAT with such a large amount of code written from scratch, we dug deeper down the gopher\r\nhole. This RAT is full of tactics to combat Antiviruses, maintain persistence and escalate privileges. It\r\ncommunicates encrypted with its Command and Control (C2) server using TLS and can receive commands\r\nallowing the attacker to fully control the infected machine.\r\nFigure 1: Old analysis with unique code\r\nInitialization\r\nThe malware starts by creating an object whose purpose is to store information about the victim machine,\r\ncontroller setup and paths to dropped utilities.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 1 of 15\n\nIt will then run a WMI command (wmic process get Caption,ParentProcessId,ProcessId) to get all running\r\nprocesses. The returned value is parsed and stored in a slice. The malware will check this process list and match it\r\nagainst a list of targeted Antivirus processes. The taskkill command is used to kill matching processes and child\r\nprocesses. The targeted processes are linked here.\r\nTo start gathering the information on the victim machine, it will get the OS version using the ver command, then\r\ngrab the username. A GET request is made to https://api.ipify.org to get the public IP address. Finally in this\r\nfunction, it will fetch the machine ID from the registry key\r\nHKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography as shown in Figure 2. This ID will later be sent\r\nin a beacon to the Command and Control (C2) server.\r\nFigure 2: Function that fetches the key\r\nDependency Deployment\r\nThe malware will decompress and drop three Gzip embedded files into the %temp% directory. The dropped files\r\nare utilities for the threat actor to use once a C2 channel has been established. The files dropped are Foxmail,\r\nPAExec and LSASS, shown below.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 2 of 15\n\nFigure 3: Head of embedded Foxmail.exe file, Gzip compressed\r\nFigure 4: Dropped dependencies\r\nNext, the malware will check to see if it is installed at “C: UsersIEUserAppDataLocalWindows\r\nUpdateupdater10.exe.” If not installed, the malware will be relocated to the path.\r\nPersistence\r\nPersistence can be set up in multiple ways, some of which require admin privileges. Privilege escalation will be\r\ncovered in a later section.\r\nRegistry Run Key: Current User\r\nThe following registry entry is created:\r\nKey: ComputerHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun\r\nName: Windows Updater\r\nValue: “C:UsersAppDataLocalWindows Updateupdater10.exe” -1 -0\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 3 of 15\n\nFigure 5: Registry Run Key\r\nRegistry Run Key: Local Machine\r\nA similar entry as the above is created at:\r\nComputerHKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun\r\nImage File Execution Options Injection\r\nImage File Execution Options are configured by the Windows registry with the intention of being used for\r\ndebugging. This can be leveraged for persistence as any executable can be used as a “debugger.” The malware\r\nensures the following keys exist: HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows\r\nNTCurrentVersionAccessibility\r\nHKEY_CURRENT_USER SoftwareMicrosoftWindows NTCurrentVersionImage File\r\nExecution Optionsmagnify.exe\r\nThe Image File Execution Options key has the following entries set:\r\nName Data\r\nConfiguration mangnifierpane\r\nDebugger “C:UsersIEUserAppDataLocalWindows Updateupdater10.exe” -1 -0\r\nThis causes the binary for Microsoft Screen Magnifier (magnify.exe) accessibility tool to be backdoored and\r\nexecute the malware.\r\nWMI Event Subscription\r\nIn this option the malware utilizes “WMIC” to create an event subscription for persistence. Three commands are\r\nexecuted to create events in the “rootsubscription” namespace that will start the payload within 60 seconds of\r\nWindows booting up. The commands executed are:\r\nwmic /namespace:’\\rootsubscription’ PATH __EventFilter CREATE Name=’GuacBypassFilter’,\r\nEventNameSpace=’rootcimv2′, QueryLanguage=’WQL’, Query=’SELECT * FROM\r\n__InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA\r\n‘Win32_PerfFormattedData_PerfOS_System”\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 4 of 15\n\nwmic /namespace:’\\rootsubscription’ PATH CommandLineEventConsumer CREATE\r\nName=’GuacBypassConsumer’, ExecutablePath='”C:UsersIEUserAppDataLocalWindows Updateupdater10.exe”\r\n-1 -0′, CommandLineTemplate='”C:UsersIEUserAppDataLocalWindows Updateupdater10.exe” -1 -0′\r\nwmic /namespace:’\\rootsubscription’ PATH __FilterToConsumerBinding CREATE\r\nFilter=’__EventFilter.Name=’GuacBypassFilter”,\r\nConsumer=’CommandLineEventConsumer.Name=’GuacBypassConsomer”)\r\nWinlogon Helper DLL\r\nThe malware can modify the “Winlogon” key in order to run itself during Windows logon. The path of the\r\nexecutable is appended to the “Userinit” entry.\r\nFigure 6: Winlogon registry modified\r\nScheduled Task\r\nThe malware can create a scheduled task called “OneDriveUpdate” to maintain persistence. The task is configured\r\nfrom an XML file, “elevator.xml” dropped to APPDATA, to trigger upon logon.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 5 of 15\n\nFigure 7: Task configuration file\r\nFigure 8: Action of triggering the task\r\nThe file “elevator.xml” is then removed from the disk.\r\nPrivilege Escalation\r\nThere are multiple avenues that the malware can take for privilege escalation. It will first test to see if it already\r\nhas admin privileges and if it is a Windows server. To check if the process has admin privileges, it will attempt to\r\nopen “\\\\.\\PHYSICALDRIVE0;” if unsuccessful, the malware will attempt to open “\\\\.\\SCSI0.” If successful for\r\neither of these, it will return “True” from the function. If “False,” the program will check to see if it is a Windows\r\nserver by running the command “systeminfo,” and parsing for the string “Microsoft Windows Server,” as shown\r\nin Figure 9.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 6 of 15\n\nFigure 9: Check for Windows Server\r\nThe malware has four options for privilege escalation, one of which is not implemented properly:\r\nUAC Bypass: Computer Defaults\r\nThis exploit starts by opening the following registry key:\r\nHKEY_CURRENT_USER (0x80000001) SoftwareClassesms-settingsshellopencommand\r\nThe default entry is set to the path of the malware, and an entry “DelegateExecute” has an empty string value\r\nadded. Next, the program “computerdefaults.exe” is executed to complete the exploit.\r\nFigure 10: Registry set for exploit\r\nThe key is deleted after exploitation.\r\nUAC Bypass: Fodhelper\r\nThis exploit is similar to the Computer Defaults UAC bypass but this time it leverages the program “Features on\r\nDemand Helper” (Fodhelper.exe), a binary with the “autoelevate” setting set to true. The same registry entries are\r\nused.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 7 of 15\n\nFigure 11: UAC bypass with Fodhelper.exe\r\nUAC Bypass: Disk Cleanup\r\nThis UAC bypass works by leveraging the scheduled task named “SilentCleanup.” This task runs with the highest\r\nprivileges but is configured to have the ability to be executed by unprivileged users.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 8 of 15\n\nFigure 12: Config for SilentCleanup\r\nThe malware attempts to leverage the environment variable “%windir%” to execute itself with higher privileges.\r\nThe scheduled task runs an action “%windir%system32cleanmgr.exe,” therefore the malware tries to set the\r\n“windir” variable to the path of the malware.\r\nFigure 13: Action of the scheduled task (SilentCleanup)\r\nFigure 14: “windir” variable set in the registry\r\nAfter setting the registry, the malware runs the scheduled task.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 9 of 15\n\nFigure 15: Execution of the scheduled task\r\nThe resulting process:\r\nFigure 16: The elevated process\r\nUAC Bypass: Event Viewer\r\nBased on the strings in this path, it appears that the malware intended to leverage the “Event Viewer” UAC\r\nbypass. But this does not appear to be properly implemented in the program.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 10 of 15\n\nFigure 17: References to “eventvwr” in a function called by “MakeAdmin” parent\r\nCommand and Control\r\nBefore Command and Control (C2) is established the malware initiates a controller struct:\r\ntype control.Controller struct{         bot model.Bot         socksSessions []control.SocksProxy         shellSessions\r\n[]control.Shell         connection net.Conn         keepAlive net.Conn }\r\nFirst, a x509 keypair is decoded from Base64 and loaded by the function tls.x509KeyPair.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 11 of 15\n\nFigure 18: Loading x509 key pair\r\nThe decoded keypair is linked here and here. Strings from this certificate can be matched to strings in the Issuer\r\nDN of a similar certificate with subject “UrbanCulture, Inc.” A further PEM certificate is decoded and appended\r\nto the cert pool. A TLS handshake is performed with the C2 server 185.188.183[.]144 on the port 1141 and then\r\ncreates a Goroutine called “Controller.WaitCommands.”\r\nThe malware is able to:\r\nStart a SOCKS proxy (‘proxy’)\r\nStart a reverse shell (‘shell’)\r\nStart an RDP server (‘rdp’)\r\nStart a binary (‘binary’)\r\nUpdate binary (‘update’)\r\nRun PowerShell command (‘cmd’)\r\nThe malware will initiate further Goroutines to collect information from the system. If running as administrator, it\r\nwill run the Lsass binary previously dropped into the temp folder.\r\nFigure 19: Path of the Lsass binary to be executed\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 12 of 15\n\nThe results are stored in a file called “Andrew.dmp” inside the temp folder. This information is sent to the C2\r\nserver through a HTTP POST request.\r\nFigure 20: Location of dump file\r\nAnother routine will take a fingerprint of the machine, concatenating the results into a string, and send this off in a\r\nHTTP POST request. It runs the following commands in this order:\r\n1. systeminfo\r\n2. ipconfig\r\n3. net view /all\r\n4. net view /all domain\r\n5. net users /domain\r\n6. nltest /domain_trusts\r\n7. nltest /domain_trusts /all_trusts\r\nFinally, the malware will periodically get information about the local network and adapters.\r\nDetect and Respond to Klingon RAT\r\nDetect if your Windows machine or server has been compromised by Klingon RAT or any variant that reuses\r\ncode using the Intezer Analyze Live Endpoint Scanner available via the enterprise edition. Running the scanner\r\nwill classify all binary code residing in your machine’s memory.\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 13 of 15\n\nFigure 21: Endpoint scan of an infected system\r\nIndicators of Compromise\r\nMD5 C2\r\n8d44ccac6b5512a416339984ad664d79 185.188.183[.]144\r\n14471a353788bb6cdb6071d0e0a83004 94.177.123[.]134\r\n327090cbddf94fc901662f0e863ba0cb 88.214.27[.]40\r\n39d550fd902ca4c1461961d01ad1aeb6 51.83.216[.]211\r\nMITRE ATT\u0026CK\r\nTactic ID Name\r\nExecution T1059.001 PowerShell\r\nT1059.003 Windows Command Shell\r\nT1047 Windows Management Instrumentation\r\nPersistence T1547.001 Registry Run Keys / Startup Folder\r\nT1547.004 Winlogon Helper DLL\r\nT1546.003\r\nWindows Management Instrumentation Event\r\nSubscription\r\nT1546.012 Image File Execution Options Injection\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 14 of 15\n\nT1053.005 Scheduled Task\r\nPrivilege Escalation T1548.002 Bypass User Account Control\r\nDefense Evasion T1562.001 Disable or Modify Tools\r\nT1070.004 File Deletion\r\nCredential Access T1003.001 LSASS Memory\r\nDiscovery T1082 System Information Discovery\r\nT1016 System Network Configuration Discovery\r\nT1018 Remote System Discovery\r\nCommand and\r\nControl\r\nT1571 Non-Standard Port\r\nT1071.001 Web Protocols\r\nSource: https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nhttps://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/\r\nPage 15 of 15\n\ntype control.Controller []control.Shell struct{ connection bot model.Bot net.Conn keepAlive socksSessions net.Conn []control.SocksProxy } shellSessions\nFirst, a x509 keypair is decoded from Base64 and loaded by the function tls.x509KeyPair.\n   Page 11 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/"
	],
	"report_names": [
		"klingon-rat-holding-on-for-dear-life"
	],
	"threat_actors": [],
	"ts_created_at": 1775434902,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6d15884ffe1cb1adb337a838a75723dde268800.pdf",
		"text": "https://archive.orkl.eu/d6d15884ffe1cb1adb337a838a75723dde268800.txt",
		"img": "https://archive.orkl.eu/d6d15884ffe1cb1adb337a838a75723dde268800.jpg"
	}
}