This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- US Army soldier pleads guilty to hacking telcos and extortion
July 15, 2025
Former U.S. Army soldier Cameron John Wagenius pleaded guilty to hacking telecommunication companies and attempting to extort them by threatening to release stolen files, the Department of Justice announced on Tuesday. According to the DOJ, Wagenius, who went online with the nickname “kiberphant0m,” conspired to defraud 10 victim companies by stealing their login credentials, using brute ...
- Preventing Zero-Click AI Threats: Insights from EchoLeak
July 15, 2025
EchoLeak (CVE-2025-32711) is a newly identified vulnerability in Microsoft 365 Copilot, made more nefarious by its zero-click nature, meaning it requires no user interaction to succeed. It demonstrates how helpful systems can open the door to entirely new forms of attack— no malware, no phishing required—just the unquestioning obedience of an AI agent. This new threat ...
- Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication
July 14, 2025
Since late 2024, Unit 42 researchers have been tracking a cluster of suspicious activity as CL-STA-1020, targeting governmental entities in Southeast Asia. The threat actors behind this cluster of activity have been collecting sensitive information from government agencies, including information about recent tariffs and trade disputes. This campaign is particularly noteworthy due to its novel tradecraft. ...
- Episource is notifying millions of people that their health data was stolen
July 14, 2025
Medical billing giant Episource is notifying millions of people across the United States that their personal and health information was stolen in a cyberattack earlier this year. The breach affects more than 5.4 million people, according to a listing with the U.S. Department of Health and Human Services, making it one of the largest healthcare breaches ...
- A major security flaw in top eSIM system could put billions of devices at risk
July 14, 2025
Security researchers have discovered a vulnerability in eSIM technology used in virtually all smartphones and many other internet-connected, smart devices. In theory, the flaw could have been abused to intercept or manipulate communications, extract sensitive data, inject malicious applets, and more. There are more than two billion eSIM-enabled devices that could be potentially impacted by this ...
- CNN, BBC, and CNBC websites impersonated to scam people
July 14, 2025
Researchers have uncovered a large campaign impersonating news websites, such as those from CNN, BBC, CNBC, News24, and ABC News, to promote investment scams. Adding a well known brand to your scammy site is a tale as old as time, and gives it an air of legitimacy that increases the likelihood that people will click ...