This article provides a comprehensive analysis of two new variants of the KimJongRAT stealer.
Palo Alto Unit 42 combine new research findings with existing knowledge to provide a comprehensive resource for understanding and combating these new KimJongRAT variants. The KimJongRAT stealer was first described in 2013 by the Malware.lu CERT. Palo Alto researchers documented another variant of this family in 2019. One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation. The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.
Read more…
Source: Palo Alto Unit 42
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- TOTOLINK X6000R: Three New Vulnerabilities Uncovered
October 1, 2025
Palo Alto security researchers have uncovered three vulnerabilities in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207, released on March 28, 2025: TOTOLINK is a manufacturer of networking products, including routers and other Internet of Things (IoT) devices used by consumers worldwide. The widespread adoption of these products makes their security a critical area of ...
- HSBC warns UK business banking customers of third-party data breach
September 30, 2025
HSBC has warned business banking customers that personal identification documents submitted during account applications may have been compromised following unauthorised access to a third-party platform. In an email sent to customers earlier this month, the bank confirmed that identity documents, images and contact details provided when opening a business account were exposed in the breach. HSBC ...
- Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
September 30, 2025
Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. Their observations show that Phantom Taurus’ main focus areas ...
- Microsoft SharePoint Zero-Day Exploitation: What Public Sector Leaders Should Know
September 30, 2025
The Rapid7 September 2025 Threat Report highlights active exploitation of a critical Microsoft SharePoint vulnerability, CVE-2025-53770. This zero-day is being used by threat actors to gain initial access to victim networks, with exploitation observed in government as well as multiple other industries. SharePoint remains a widely deployed collaboration platform in federal, state, and local agencies, resulting ...
- Broadcom Releases Security Updates for VMware Aria Operations, Tools, and Cloud Foundation
September 30, 2025
Broadcom has released security updates to address vulnerabilities in VMware Aria Operations, Tools, and Cloud Foundation components of VMware products. The updates address 2 high severity and 1 medium severity vulnerabilities. CVE-2025-41244 – “Privilege defined with unsafe actions” vulnerability – CVSSv3 score of 7.8 Read more… Source: NHS Digital Sign up for the Cyber Security Review Newsletter The latest cyber ...
- ‘Widespread’ breach let hackers steal employee data from FEMA and CBP
September 29, 2025
A “widespread cybersecurity incident” at the Federal Emergency Management Agency allowed hackers to make off with employee data from both the disaster management office and U.S. Customs and Border Protection, according to a screenshot of an incident overview presentation obtained by Nextgov/FCW. The hack is also suspected to have later triggered the dismissal of two dozen ...