Ddos 
Zscaler ThreatLabz has identified a sophisticated malware campaign active since early May 2025, targeting Chinese-speaking users with a blend of well-known and new Remote Access Trojans (RATs). Among the payloads delivered are ValleyRAT, FatalRAT, and a newly discovered RAT dubbed kkRAT, which blends traits from multiple established malware families.
According to Zscaler, “The campaign uses fake installer pages mimicking popular software to deliver three different RATs as the final payload in various instances.” These phishing sites are hosted on GitHub Pages and distribute malicious executables disguised as legitimate software installers.
The campaign employs a multi-stage infection process designed to bypass detection:
- Stage 1: Performs environment checks to evade sandboxes and VMs, using timing analysis and hardware requirements. If criteria aren’t met, it alters process structures to masquerade as explorer.exe before terminating execution.
- Stage 2: Uses administrator privileges to disable network adapters, scan for antivirus and EDR processes—especially from China-based vendors—and employs a Bring Your Own Vulnerable Driver (BYOVD) attack via RTCore64.sys to remove AV/EDR callbacks.
- Stage 3: Downloads obfuscated shellcode that eventually unpacks ZIP archives containing both legitimate executables and malicious DLLs, enabling DLL sideloading to deploy the RAT payloads.
While ValleyRAT and FatalRAT have been documented before, kkRAT represents a new malware family with dangerous capabilities. ThreatLabz explains: “kkRAT employs a network communication protocol similar to Ghost RAT, with an added encryption layer after data compression.”
Key features of kkRAT include:
- Clipboard hijacking – Monitors and replaces cryptocurrency wallet addresses (Bitcoin, Ethereum, Tether) with attacker-controlled addresses.
- Remote monitoring & persistence – Deploys legitimate RMM tools such as Sunlogin and GotoHTTP for long-term access.
- Extensive plugins – kkRAT supports plugins for remote desktop control, process management, application management, network connection monitoring, and shell access.
- Network proxying – Provides SOCKS5 proxy functionality to relay traffic, bypassing firewalls and VPNs.
To evade defenders, kkRAT encrypts its C2 configuration and applies zlib compression plus XOR encryption to network packets. Zscaler researchers note that its plugin and network communication decryption tools are available for defenders to analyze captured traffic.
The RAT also fingerprints infected devices, collecting system information such as CPU count, memory size, OS version, webcam presence, and even messaging apps like Telegram, QQ, and WeChat—all of which are exfiltrated to the attacker’s command-and-control server.
By combining data theft, remote management, and cryptocurrency hijacking, kkRAT positions itself as both an espionage tool and a financially motivated malware. ThreatLabz highlights the dual purpose: “kkRAT’s commands and plugins enable features such as clipboard hijacking to replace cryptocurrency wallet addresses, installing RMM tools like Sunlogin and GotoHTTP, and relaying network traffic that can be used to bypass firewalls and VPNs.”
Related Posts:
- Cisco found multiple flaws in Blender
- macOS 16 to Get iOS-Style Clipboard Permissions for Enhanced Privacy
- RMM Tools: The New Weapon of Choice for Cybercriminals
- Clipboard security issues found in Chromium, Firefox, and Apple Safari browsers
- Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
Donate