This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Impostor uses AI to impersonate Rubio and contact foreign and US officials
July 8, 2025
The State Department is warning U.S. diplomats of attempts to impersonate Secretary of State Marco Rubio and possibly other officials using technology driven by artificial intelligence, according to two senior officials and a cable sent last week to all embassies and consulates. The warning came after the department discovered that an impostor posing as Rubio had ...
- NFC fraud threatens Philippines digital payments security
July 8, 2025
As contactless payments and digital wallets grow quickly in the Philippines, cyber-criminals are now targeting the country by abusing Near Field Communication (NFC) technologies. Resecurity, a global leader in cyber threat intelligence, issued a stark warning, urging Philippine regulators and financial institutions to heighten their defenses amid an alarming increase in NFC-enabled fraud, particularly from ...
- Batavia spyware steals data from Russian organizations
July 7, 2025
Since early March 2025, our systems have recorded an increase in detections of similar files with names like договор-2025-5.vbe, приложение.vbe, and dogovor.vbe (translation: contract, attachment) among employees at various Russian organizations. The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract. The campaign began in July 2024 and ...
- BERT Ransomware Group Targets Asia and Europe on Multiple Platforms
July 7, 2025
In April, a new ransomware group known as BERT, has been observed targeting organizations across Asia and Europe. TrendResearch telemetry has confirmed the emergence and activity of this ransomware. This blog entry examines BERT’s tools and tactics across multiple variants. By comparing its different iterations, we unpack how the ransomware group operates, how their methods have ...
- NordDragonScan: Quiet Data-Harvester on Windows
July 7, 2025
FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments. Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots. The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves ...
- Several major Linux distros hit by serious Sudo security flaws
July 7, 2025
Two vulnerabilities were recently spotted in various Linux distributions which, when chained together, allow local attackers to escalate their privileges and thus run arbitrary files. The vulnerabilities are tracked as CVE-2025-32462 (severity score 2.8/10 – low severity), and CVE-2025-32463 (severity score 9.3/10 critical), and were found in the Sudo command-line utility for Linux and other Unix-like ...