New KimJongRAT Stealer Uses Weaponized LNK File to Deploy PowerShell-Based Dropper

The two new variants of the KimJongRAT stealer have emerged, showcasing the persistent and evolving nature of this malicious tool first identified in 2013.

Detailed research by Palo Alto Networks’ Unit 42 reveals that these variants, one employing a Portable Executable (PE) file and the other a PowerShell implementation, leverage a weaponized Windows shortcut (LNK) file as the initial infection vector to deploy multi-stage droppers.

KimJongRAT Variants Target Crypto Wallets

This sophisticated attack chain ultimately aims to steal sensitive user data, with a particular focus on cryptocurrency wallet extensions, browser credentials, and system information, posing a significant threat to individuals and organizations alike.

The attack begins when a user double-clicks the malicious LNK file, which often masquerades as a legitimate document with enticing names like “Sex Offender Personal Information Notification” in Korean.

This file, hosted on attacker-controlled content delivery network (CDN) accounts such as cdn.glitch[.]global, triggers the download of an HTML Application (HTA) file to the Windows %temp% directory.

Sophisticated Multi-Stage Attack Chain

In the PowerShell variant, the HTA file, named sfmw.hta, drops a decoy PDF often a Korean-language document related to sex offenders to distract the victim while simultaneously extracting a ZIP archive named pipe.zip to the %localappdata% folder.

This archive contains critical components, including a PowerShell script (1.ps1) that acts as a loader to decode and execute the Base64-encoded stealer and keylogger scripts from accompanying log files.

These scripts establish persistence via Windows registry entries and initiate data exfiltration to command-and-control (C2) servers, targeting an extensive list of crypto wallet extensions like MetaMask, Trust Wallet, and Phantom, alongside browser data from Chrome, Edge, and Firefox.

The PE variant follows a similar multi-stage approach but deploys a loader DLL (sys.dll) and additional payloads like main64.log (orchestrator) and net64.log (stealer), focusing on broader data theft including FTP and email client credentials.

Both variants utilize legitimate CDN services to mask their malicious traffic, with encrypted communications employing XOR and RC4 ciphers to evade detection.

The PowerShell variant’s anti-VM checks, though flawed, indicate an intent to avoid analysis in sandboxed environments, while its Work function continuously interacts with the C2 server to upload stolen data and download additional payloads.

This adaptability, coupled with the malware’s focus on cryptocurrency-related assets, underscores the developers’ persistent efforts to refine KimJongRAT’s capabilities since its re-emergence in 2019, with newer samples dating to September 2024 and updates as recent as March 2025.

Palo Alto Networks offers robust protection through solutions like Advanced WildFire, Cortex XDR, and Advanced Threat Prevention, which detect and prevent execution of these threats using machine learning and behavioral analysis.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates