LOTSを活用して進化を続けるKimJongRAT

2026-06-25 IIJSECT KimJongRAT Continues to Evolve Using LOTS

https://sect.iij.ad.jp/blog/2026/06/continuous-evolution-of-kimjongrat-2026/

Thumbnail for LOTSを活用して進化を続けるKimJongRAT

IIJ-SECT observed a May 2026 Kimsuky-linked KimJongRAT campaign that redirected targets from emailed shortened links to malicious GitHub Releases ZIP files containing LNK payloads. The infection chain used mshta, obfuscated VBScript, Google Drive-hosted encrypted payloads, and separate execution paths depending on whether Windows Defender was running. Newer KimJongRAT samples no longer hardcoded C2 addresses; they downloaded encrypted C2 configuration from Google Drive at runtime, and also added an experimental MeshAgent installation capability to preserve access if the malware was quarantined. GitHub removed one abused repository on May 27, but the actor created another repository days later, suggesting the LOTS-based delivery pattern may continue.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN pxqtkc.corpsecs.com 2026-06-25 2026-06-25
URL https://pxqtkc.corpsecs.com 2026-06-25 2026-06-25
HASH 221a39856b37e3c682f62427f1e6b96… 2026-06-25 2026-06-25
HASH 107b5aa3c4ef30b9b832e0a10b1efb1… 2026-06-25 2026-06-25
HASH 9758e76b601798a30d903bf05052a53… 2026-06-25 2026-06-25
HASH e4ccb2328c06710a7f0254cb6315e1b… 2026-06-25 2026-06-25
IPv4 104.200.67.46 2026-06-25 2026-06-25
IPv4 89.116.192.38 2026-06-25 2026-06-25
DOMAIN lutkdd.corpsecs.com 2026-06-25 2026-06-25
DOMAIN googleoba.servequake.com 2026-05-26 2026-06-25
URL https://lutkdd.corpsecs.com 2026-05-26 2026-06-25

Related Actors

Related Reports

« Back