SEO Poisoning & NativeAOT: Unmasking the “Kong RAT” Campaign Targeting IT Professionals

Cybersecurity researchers have uncovered a sophisticated, multi-stage malware operation that turned legitimate search engine results into a trap for developers and IT professionals. Tracked as Kong RAT, the campaign utilized Search Engine Optimization (SEO) poisoning to deliver a powerful Remote Access Trojan (RAT) to Chinese-speaking users looking for popular networking and administrative tools.

A new analysis from eSentire’s Threat Response Unit (TRU) details an operation that successfully masqueraded as the “front door” for essential software, staying active from May 2025 through March 2026.

The campaign relied on the inherent trust users place in top-tier search results. Victims searching for tools like the FinalShell SSH client, Xshell, QuickQ VPN, and the Clash proxy were redirected to “convincing lookalike domains”. These sites hosted trojanized versions of the installers, which looked and felt legitimate but carried a hidden, malicious cargo.

As the report notes, “Initial access is achieved when victims download trojanized software installers from seemingly legitimate websites that rank highly in search results”. Once the fake installer was run, the infection chain began in earnest, leveraging cloud infrastructure for its next moves.

One of the most striking technical aspects of Kong RAT is the choice of its development environment. The dropper, typically a file named Setup.exe, was compiled using .NET 10.0 NativeAOT.

This was not a random choice by the developers. The TRU team identifies this as “a deliberate choice to defeat standard .NET reverse engineering tools (dnSpy, ILSpy) as NativeAOT compiles C# directly to native machine code”. By bypassing the intermediate language (IL) that most .NET decompilers rely on, the attackers significantly increased the difficulty for security analysts to unpack their code.

To track its victims without raising red flags, Kong RAT implemented a clever geographic monitoring system. The malware was observed abusing a legitimate geolocation API belonging to LeTV, a Chinese media conglomerate.

By mimicking a media streaming client—using the user agent LetvClient/1.0—the malware made requests to g3.letv.com to obtain the victim’s public IP address and geographic location. “This gives the operator real-time victim geolocation for every new infection while disguising the collection as legitimate Chinese media streaming traffic,” according to the report.

The threat was named “Kong RAT” due to the consistent appearance of the string “Kong” across various registry keys and file paths created during the infection process. Analysis of the binary’s PDB path further revealed a developer username of “52poj”, potentially hinting at the origins or the community the threat actor frequents.

Throughout the campaign, the actor relied heavily on Alibaba Cloud Object Storage Service (OSS) in the Hong Kong region for hosting payloads and collecting C2 telemetry.