kkRAT Malware

Infosec researchers have uncovered an active malware campaign aimed at Chinese-speaking users that uses a previously undocumented remote access trojan dubbed kkRAT. The campaign appears to have been running since early May 2025 and combines familiar RAT techniques with modular loaders and deception to evade detection and achieve persistence.

THREAT ORIGINS AND CODELINE LINKS

Analysis shows kkRAT borrows heavily from established families: its network protocol and some code structures resemble those used by Gh0st RAT (Ghost RAT) and Big Bad Wolf (大灰狼), a RAT historically used by China-based cybercriminal groups. The authors layered additional encryption on top of compression, producing a Ghost-like communications channel with an extra encryption step.

DELIVERY METHOD — FAKE INSTALLERS HOSTED ON GITHUB PAGES

Actors hosted phishing pages on GitHub Pages that impersonated popular applications (for example, DingTalk) and delivered three trojans via fake installers. By abusing GitHub's reputation, the operators increased the likelihood that victims would trust and run the installers. Experts note that the GitHub account used to host the pages is no longer available.

INSTALLER BEHAVIOR

When executed, the fake installer performs multiple checks to detect sandbox environments and virtual machines and tries to bypass security controls. It prompts for administrator privileges; if granted, it enumerates and temporarily disables active network adapters — a capability used to interfere with antivirus network checks and to disrupt normal AV operation while it proceeds with its changes.

ANTI-AV TECHNIQUES

The malware uses a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique to neutralize endpoint protections, reusing code from the RealBlindingEDR open-source project. It specifically searches for and targets these consumer and enterprise protection suites:

360 Internet Security suite

360 Total Security

HeroBravo System Diagnostics suite

Kingsoft Internet Security

QQ电脑管家

After terminating relevant antivirus processes, the installer creates a scheduled task running with SYSTEM privileges that executes a batch script on each user logon — ensuring the targeted AV processes are killed automatically at every login. The malware also modifies Windows Registry entries in ways consistent with disabling network checks, then re-enables network adapters once its modifications are complete.

PAYLOAD CHAIN

The installer's primary role is to run shellcode, which fetches and executes an obfuscated secondary shellcode file named '2025.bin' from a hard-coded URL. That shellcode acts as a downloader and retrieves an artifact named 'output.log,' which then contacts two URLs to download two ZIP archives:

• trx38.zip — contains a legitimate executable plus a malicious DLL that is launched via DLL sideloading.
• p.zip — contains a file called longlq.cl that holds an encrypted final payload.

The malware creates a shortcut to the legitimate executable from trx38.zip, places that shortcut in the user's Startup folder for persistence, and runs the legitimate executable so it will sideload the malicious DLL. The DLL decrypts and executes the final payload contained in longlq.cl. The campaign's final payload varies by campaign instance; one confirmed payload is kkRAT.

kkRAT CAPABILITIES (COMMANDS, PLUGINS AND BEHAVIOR)

kkRAT connects to a C2 server over a socket, profiles the infected host, and downloads plugins and commands that enable extensive remote control and data collection. Its observed capabilities include:

• screen capture and simulation of user input (keyboard and mouse)
• reading and modifying clipboard contents (used for cryptocurrency address replacement)
• enabling remote desktop functionality and launching/remotely closing applications, including browsers
• remote command execution via an interactive shell
• on-screen Windows management and process listings/termination
• enumerating active network connections
• listing installed applications and uninstalling selected software
• reading autorun Registry values and enumerating autorun entries
• acting as a SOCKS5 proxy to route traffic and potentially bypass firewalls or VPNs
• installing and deploying remote management tools such as Sunlogin and GotoHTTP
• persistence mechanisms and a broad set of commands to invoke plugins and operational functions

kkRAT also contains clipper functionality that replaces copied cryptocurrency wallet addresses, and routines to clear data from a range of browsers and messaging apps (examples observed: 360 Speed Browser, Google Chrome, Internet Explorer, Mozilla Firefox, QQ Browser, Sogou Explorer, and Telegram).

SUMMARY — WHY THE ATTACK CAMPAIGN IS SIGNIFICANT

This campaign is notable for combining: social-engineering distribution through legitimate-looking GitHub Pages; advanced anti-analysis and anti-AV techniques (sandbox/VM detection, BYOVD using RealBlindingEDR code); a multi-stage loader that uses DLL sideloading and encrypted payload containers; and a fully featured RAT (kkRAT) that supports both information theft (clipboard hijacking, screen capture, data exfiltration) and operational tooling (remote management tools, proxying). The modular architecture means the final payload can be swapped, increasing flexibility for the operators and complicating detection and attribution.