Follow
EndClient RAT Analysis
EndClient RAT is a recently observed remote-access trojan tied to the Kimsuky cluster that arrives via signed binaries or script droppers (using stolen code-signing certificates to evade SmartScreen/AV), provides remote shell/command execution, file upload/download, persistence, and C2 over HTTP(S), has so far shown low detection rates, and was documented in initial technical reports with IOCs.
Immediate actions include collecting file hashes and certificate serials, blocking known C2 domains/URLs, revoking or pinning unexpected code-signing certs, enabling application-whitelisting, tightening email/attachment controls, and hunting for anomalous signed executables.
Investigation
Technical analysis reveals the following ATT&CK techniques: T1059.003 (Command‑Shell via hidden cmd.exe and named pipes), T1105 (Ingress Tool Transfer via download/upload commands), T1569.001 (Create Process), T1053.005 (Scheduled Task for persistence), T1027 (Obfuscated/Stored Files – AutoIT script compiled and polymorphic mutation when Avast is detected), T1547.009 (Shortcut Modification – LNK in Startup), T1543.003 (Windows Service – copying schtasks.exe to hwpviewer.exe), T1036.005 (Masquerading – signed MSI using stolen certificate), T1574.001 (Hijack Execution Flow – DLL calls), T1129 (Shared Modules – use of common memory stubs for Base64, LZMA, binary search). The RAT uses a global mutex (Global\AB732E15-D8DD-87A1-7464-CE6698819E701) to prevent multiple instances, checks for Avast AV, creates a scheduled task named “IoKlTr” that runs every minute, and drops files to C:\Users\Public\Music. Network C2 is performed over TCP to 116.202.99.218:443 with sentinel‑framed JSON markers “endClient9688” and “endServer9688”.
Mitigation
Block execution of unsigned or suspicious MSI installers, especially those signed with stolen certificates. Monitor and alert on creation of scheduled tasks named “IoKlTr” or similar, and LNK files in the Startup folder (e.g., Smart_Web.lnk). Detect the global mutex value and the use of AutoIT binaries (AutoIt3.exe). Enforce network egress filtering to block the C2 IP 116.202.99.218 and any traffic using the custom JSON markers. Deploy endpoint protection that can inspect compiled AutoIT scripts and detect polymorphic file mutation. Implement code‑signing verification and revocation for compromised certificates.
Response
If an infection is suspected, isolate the affected host, collect memory dumps and the MSI file for forensic analysis, capture scheduled task definitions, LNK files, and mutex listings. Hash all dropped binaries and compare against known IOCs. Remove the scheduled task, delete the LNK shortcut, and delete files in C:\Users\Public\Music related to the RAT. Block the C2 IP and update firewall rules. Conduct a full indicator hunt across the environment for the mutex, named pipe patterns, and the custom JSON markers. Provide the findings to relevant stakeholders and consider notifying affected human‑rights organizations.
Attack Flow
Detection
Detection of EndClient RAT Delivery and Execution [Windows Process Creation]
View
EndClient RAT C2 Communication Detection [Windows Network Connection]
View
IOCs (HashSha256) to detect “EndClient RAT”
View
IOCs (HashSha1) to detect “EndClient RAT”
View
Suspicious Execution from Public User Profile (via process_creation)
View
CVE-2025-59287 Simulation
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
- Deliver the signed MSI (
StressClear.msi) to the victim host. - Execute the MSI silently, which extracts an embedded AutoIt script (
payload.au3). - The AutoIt script launches AutoIt3.exe, which in turn runs a hidden
cmd.exeto open a reverse shell. - To establish persistence, the script copies the legitimate
schtasks.exetoC:\Windows\Temp\hwpviewer.exeand registers a scheduled task that calls this renamed binary at system startup. - The hidden
cmd.exeprocess is started with the argumenthiddento avoid user visibility, satisfying the rule’s exclusion criteria when correctly omitted.
- Deliver the signed MSI (
-
Regression Test Script:
# ------------------------------------------------- # EndClient RAT Delivery & Execution Simulation # ------------------------------------------------- # 1. Install the signed MSI (delivers AutoIt payload) msiexec /i "C:\Temp\StressClear.msi" /quiet /norestart # 2. Locate the extracted AutoIt script (simulated path) $autoitScript = "C:\ProgramData\StressClear\payload.au3" # 3. Execute AutoIt3.exe with the script $autoItExe = (Get-Command "AutoIt3.exe" -ErrorAction SilentlyContinue).Source if (-not $autoItExe) { Write-Error "AutoIt3.exe not found on system. aborting."