This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Cisco tells Webex users to patch critical security flaws immediately
April 17, 2026
Cisco has pushed a new patch to address four critical-severity vulnerabilities plaguing its cloud-based Webex Services platform – and has also warned Wi-Fi access points users of a bug in certain versions of IOS XE that could result in a device bootloop. Webex Services is a platform for communication and collaboration, letting people hold video meetings, ...
- Adapt or pay: an analysis of the AdaptixC2 framework
April 17, 2026
As highlighted in our previous post about the Mythic framework, threat actors are rapidly adopting emerging technologies and frameworks. A prime example of this trend is AdaptixC2, a relatively new open-source post-exploitation framework that has quickly captured the attention of the offensive security community. Its popularity stems from its open-source nature and high extensibility; the framework ...
- British National Pleads Guilty to Hacking into Companies and Stealing At Least $8 Million in Virtual Currency
April 17, 2026
SANTA ANA, California – A United Kingdom man pleaded guilty today to conspiring with others to hack into the computer systems of at least a dozen companies via text message phishing attacks and to steal at least $8 million in virtual currency from individual victims throughout the United States. Tyler Robert Buchanan, 24, of Dundee, Scotland, ...
- Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise
April 16, 2026
Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built‑in macOS security checks. ...
- “iCloud storage is full” scam is back, and now it wants your payment details
April 16, 2026
A few months ago, we reported on a fake cloud storage alert that triggered a redirect chain to an app that has since been delisted from the Apple Store. The threat of losing your photos is a powerful lure, so scammers are now using it to steal personal and financial details. The Guardian warns about an ...
- Europol-supported global operation targets over 75 000 users engaged in DDoS attacks
April 16, 2026
On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the ...