The threat actor delivers three Remote Access Trojans (RATs)—ValleyRAT, FatalRAT, and a newly discovered RAT dubbed kkRAT—via phishing sites hosted on GitHub Pages.
These sites masquerade as legitimate software installers for popular applications. In each instance, a ZIP archive contains a malicious executable that initiates a multi-stage attack chain designed to evade analysis, disable endpoint security, and deploy the final payload.
Zscaler ThreatLabz has uncovered a sophisticated malware campaign targeting Chinese-speaking users since early May 2025.
Zscaler ThreatLabz first detected the campaign in May 2025 when users were lured to fake installer pages mimicking popular Chinese software.
Each phishing page delivers a ZIP archive containing a malicious executable that launches a three-stage loader before deploying one of three RATs.
While ValleyRAT and FatalRAT are documented elsewhere, kkRAT is a previously unknown malware family that blends features from Ghost RAT and Big Bad Wolf. kkRAT’s standout capability is a network communication protocol that compresses data with zlib and then applies an XOR-based encryption layer.
Core features include clipboard hijacking to replace cryptocurrency addresses and deployment of legitimate remote monitoring and management (RMM) tools such as Sunlogin and GotoHTTP.
To ensure persistence and stealth, the malware uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus and EDR callbacks.
Technical Analysis
The attack begins when a user downloads and extracts the ZIP archive. The first stage executable performs VMware and sandbox detection by measuring operation timings via QueryPerformanceCounter and verifying system resources (at least 50 GB disk space and two CPU cores).
If thresholds are not met, the malware corrupts its process snapshot by altering PEB structures and terminates.
Next, API functions are resolved dynamically with single-byte XOR deobfuscation, and next-stage shellcode is decrypted and executed in memory using pe_to_shellcode transformation.
In the second stage, the malware requires administrator privileges. If not elevated, it prompts the user in Mandarin and exits.
With privileges, it enumerates network adapters and disables them to cut off AV/EDR vendor communications.
The malware then scans for processes associated with Chinese security vendors—such as 360 Total Security, QQ Computer Manager, and Kingsoft Internet Security—and if found, leverages the vulnerable RTCore64.sys driver (CVE-2019-16098) to remove registered ObRegister, MiniFilter, and CmRegister callbacks using code from the open-source RealBlindingEDR project.
After disabling these callbacks and deleting AV/EDR files, it schedules a recurring SYSTEM-level task to kill security processes on each login and modifies registry keys to disable 360 Total Security’s network checks before re-enabling network adapters.
The third stage loader fetches a heavily obfuscated shellcode named 2025.bin via a hardcoded URL. This shellcode downloads and decodes a Base64-encoded file output.log, which contains 62 records separated by custom delimiters.
Each record points to two ZIP archives: one legitimate executable with a malicious DLL for side-loading, and another archive containing longlq.cl, the encrypted final payload. The side-loaded DLL decrypts the payload with a six-byte XOR key, revealing either ValleyRAT, FatalRAT, or kkRAT.
kkRAT Features and Communication Protocol
kkRAT’s configuration—C2 IP, port, version, and group identifier—is stored as encrypted strings and transmitted in a registration message.
During registration, kkRAT collects system information (OS version, CPU frequency, memory size, installed AVs, presence of webcams, RMM tools, and user context) to fingerprint the device.
Network packets mirror Ghost RAT’s structure but include an additional zlib compression step followed by XOR encryption with a hardcoded key. ThreatLabz provides Python decryptor scripts on GitHub for both configuration and network traffic.
kkRAT supports a rich set of commands and plugins. Its main plugin DLL exposes exports for remote desktop control, process and window management, network connection enumeration, and clipboard monitoring.
Special commands (0x4D–0x4F) scan the clipboard for cryptocurrency addresses and replace them with attacker-controlled wallets, enabling silent crypto-hijacking.
Additional commands install or retrieve credentials for Sunlogin and GotoHTTP RMM tools, proxy TCP traffic, and establish persistence via scheduled tasks, autorun keys, or startup folders.
In summary, kkRAT distinguishes itself through its hybrid communication protocol, advanced sandbox evasion, BYOVD-based security disabling, and clipboard hijacking capabilities, marking it as a potent threat to Chinese-speaking targets.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
