This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Apple notifies new victims of spyware attacks across the world
April 30, 2025
Apple sent notifications this week to several people who the company believes were targeted with government spyware, according to two of the alleged targets. In the past, Apple has sent similar notifications to targets and victims of spyware, and directed them to contact a nonprofit that specializes in investigating such cyberattacks. Other tech companies, like Google ...
- The Co-op fights attempted hack as M&S cyber attack rages on
April 30, 2025
The Co-op has been forced to shut off parts of its IT systems after it was confronted with an attempted hack. The Manchester-headquartered group has confirmed some of its back office and call centre services have been impacted. However, it added that all its stores, including grocery and funeral homes are trading as usual. It comes ...
- Phishing Domains Associated with LabHost PhaaS Platform Users
April 29, 2025
The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform between November 2021 and April 2024. Prior to being disabled by law enforcement in April 2024, LabHost was one of the world’s largest PhaaS providers, offering a range of illicit services for approximately ...
- Gremlin Stealer: New Stealer on Sale in Underground Forum
April 29, 2025
Unit 42 researchers have identified new information-stealing malware written in C#, called Gremlin Stealer. This stealer’s authors have actively advertised it on a Telegram group since mid-March 2025. This information-stealing malware exfiltrates data from its victims and uploads this information to its web server for publication. It can capture data from browsers, the clipboard and the ...
- Outlaw cybergang attacking targets worldwide
April 29, 2025
In a recent incident response case in Brazil, we dealt with a relatively simple, yet very effective threat focused on Linux environments. Outlaw (also known as “Dota”) is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its operations. Previous research described Outlaw samples obtained from honeypots. In this ...
- Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324
April 28, 2025
On Thursday, April 24, enterprise resource planning company SAP published a CVE (and a day later, an advisory behind login) for CVE-2025-31324, a zero-day vulnerability in NetWeaver Visual Composer that carries a CVSSv3 score of 10. The vulnerability arises from a missing authorization check in Visual Composer’s Metadata Uploader component that, when successfully exploited, allows unauthenticated ...