Threat Advisories:
kkRAT Malware Campaign Targeting Chinese-Speaking Users ZynorRAT: Go-Based Malware Taking Shape on Telegram Microsoft September 2025 Patch Tuesday Roundup The Gentlemen Ransomware: A Rising Global Cyber Threat MostereRAT: A Deep Dive into an EPL-Backed Phishing Operation Stealerium Changing the Rules of Cyber Espionage s1ngularity Nx Supply Chain Attack: AI-Driven Credential Theft & Mass Exposure GPUGate: Weaponizing Ads and GitHub to Outsmart Sandboxes Cephalus Ransomware a Wake-Up Call for Stronger Endpoint Defense Sitecore Zero-Day Powers Reconnaissance Malware TP-Link Router End-of-Service Models Exploited in Botnet Operation GhostRedirector Targets Windows Servers Globally for SEO Fraud CVE-2025-55177: WhatsApp Zero-Click Flaw Used in Targeted Campaigns Experimental AI Ransomware PromptLock Sparks Security Concerns NightSpire Ransomware Expands Reach with Aggressive Extortion Deadlines Operation HanKook Phantom: APT37’s Stealthy Espionage Campaign Storm-0501’s Shift to Cloud-Native Ransomware Salt Typhoon Cyber Attacks Hit 200 Organizations in the United States CVE-2025-7775: Actively Exploited Critical Flaw in Citrix NetScaler ZipLine Campaign Spins Web Around U.S. Supply Chain Manufacturers with MixShell
🎧 Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

kkRAT Malware Campaign Targeting Chinese-Speaking Users

Amber | Attack Report
Download PDF

kkRAT Malware Campaign Targeting Chinese-Speaking Users

Summary

First observed in May 2025, kkRAT is a newly discovered remote access trojan (RAT) targeting Chinese-speaking users. The campaign uses phishing pages hosted on GitHub Pages, masquerading as popular software installers, to deliver kkRAT, ValleyRAT, or FatalRAT payloads inside ZIP archives.

kkRAT employs advanced anti-analysis techniques, privilege escalation, and Bring-Your-Own-Vulnerable-Driver (BYOVD) methods to evade detection and disable security tools. Its modular, plugin-based design enables remote control, network enumeration, system discovery, proxying (including SOCKS5), and cryptocurrency wallet clipboard hijacking for monetization.

Attack Details

  • Initial Access: Victims are lured to phishing pages impersonating software installers. Malicious ZIP archives drop executables that launch the infection chain.

  • Anti-Analysis & Evasion: Loader performs timing/hardware sandbox checks, obfuscates API calls, and manipulates Windows processes/registry to bypass automated detection.

  • Privilege Escalation & BYOVD: Exploits vulnerable drivers to disable security callbacks, remove or disrupt AV processes, and temporarily disable network adapters.

  • Persistence: Achieved via scheduled tasks, registry run keys, and startup folder shortcuts, ensuring malware survives reboots and user logons.

  • C2 Communication: Fingerprints host details (OS, hardware, network, installed security tools) and communicates with C2 servers over zlib-compressed, XOR-obfuscated channels.

  • Capabilities: Supports remote desktop control, shell execution, process management, proxying, and clipboard monitoring to replace crypto wallet addresses.

Recommendations

  • Immediate Containment & Network Controls: Block malicious domains, GitHub Pages accounts, and C2 IP:port pairs at firewalls and proxies.

  • Privilege & Driver Hardening: Restrict driver installation privileges, block unsigned or known-vulnerable drivers at policy level, and enforce least privilege for standard users.

  • Email Security & Awareness: Configure email gateways to detect and quarantine spear-phishing messages, filter risky file types, and use URL sandboxing. Conduct phishing simulation exercises.

  • Network Segmentation & Traffic Control: Segment critical assets from user networks, enforce strict outbound firewall rules, inspect DNS logs and network telemetry for suspicious encrypted connections.

Indicators of Compromise (IoCs)

SHA256 Hashes

  • 02cce1811ed8ac074b211717e404fbadffa91b0881627e090da97769f616c434

  • 140426a92c3444d8dc5096c99fa605fd46cb788393c6522c65336d93cb53c633

  • 181b04d6aea27f4e981e22b66a4b1ac778c5a84d48160f7f5d7c75dffd5157f8

  • 35385ab772ebcc9df30507fd3f2a544117fb6f446437c948e84a4fdf707f8029

  • 36e8f765c56b00c21edcd249c96e83eb6029bc9af885176eaca9893ebad5d9bd

  • 3e5efe81a43d46c937ba27027caa2a7dc0072c8964bf8df5c1c19ed5626c1fe1

  • 003998d12e3269286df1933c1d9f8c95ab07c74fa34e31ce563b524e22bb7401

  • 71ca5dd59e90ec83518f9b33b2a8cdb6a0d6ad4c87293b27885fa2a8e8e07f1c

  • 80b7c8193f287b332b0a3b17369eb7495d737b0e0b4e82c78a69fa587a6bcf91

  • a0f70c9350092b31ae77fc0d66efa007ccacbbc4b9355c877c1f64b29012178c

  • f557a90c1873eeb7f269ae802432f72cc18d5272e13f86784fdc3c38cbaca019

URLs

  • hxxps://github.com/sw124456

  • hxxps://youdaoselw.icu

  • hxxps://kmhhla.top/

  • hxxp://key2025.oss-cn-hongkong.aliyuncs.com/2025.bin

  • hxxp://key2025.oss-cn-hongkong.aliyuncs.com/output.log

  • hxxp://key2025.oss-cn-hongkong.aliyuncs.com/trx38.zip

IPv4:Port

  • 154[.]44[.]30[.]27[:]8250

  • 156[.]238[.]238[.]111[:]8111

  • 103[.]199[.]101[.]3[:]8081

MITRE ATT&CK TTPs

  • Initial Access: T1566 (Phishing), T1204 (User Execution), T1204.002 (Malicious File)

  • Execution: T1140 (Deobfuscate/Decode Files), T1037.001 (Logon Script)

  • Persistence: T1053.005 (Scheduled Task), T1547.001 (Registry Run Keys/Startup Folder)

  • Defense Evasion: T1497 (Sandbox Evasion), T1562 (Impair Defenses), T1562.001 (Disable or Modify Tools)

  • Discovery: T1010 (Application Window Discovery), T1057 (Process Discovery), T1082 (System Information Discovery), T1083 (File & Directory Discovery)

  • Collection: T1056.001 (Keylogging), T1113 (Screen Capture), T1115 (Clipboard Data)

  • Command & Control: T1219 (Remote Access Tools), T1090 (Proxy), T1573 (Encrypted Channel)

  • Exfiltration: T1041 (Exfiltration over C2 Channel)

  • Impact: T1529 (System Shutdown/Reboot)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox