Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
Contents
Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
Published on
Jun 25, 2024
Introduction
XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed threat actors preying on the gaming community. Recently, Hunt’s Research Team discovered the remote access tool (RAT) spreading through .gg domains, a term synonymous with “good game” in esports, and a GitHub repository portraying its software as scripting engine tools for the popular game Roblox.
In this post, we’ll explore the specific .gg domains hosting Xeno RAT, the GitHub account, and a possibly linked YouTube account and provide insight into how this emerging threat targets gamers and developers.
Xeno RAT in the Wild
Most recently, AhnLab’s ASEC reported on a likely North Korea-linked group using Dropbox to deliver Xeno RAT to victim networks. In late April, a third-party researcher on X posted on an open directory likely administered by the Kimsuky …
Published on
Jun 25, 2024
Introduction
XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed threat actors preying on the gaming community. Recently, Hunt’s Research Team discovered the remote access tool (RAT) spreading through .gg domains, a term synonymous with “good game” in esports, and a GitHub repository portraying its software as scripting engine tools for the popular game Roblox.
In this post, we’ll explore the specific .gg domains hosting Xeno RAT, the GitHub account, and a possibly linked YouTube account and provide insight into how this emerging threat targets gamers and developers.
Xeno RAT in the Wild
Most recently, AhnLab’s ASEC reported on a likely North Korea-linked group using Dropbox to deliver Xeno RAT to victim networks. In late April, a third-party researcher on X posted on an open directory likely administered by the Kimsuky …
IoC
029f3396c39f543dd984031eb82edcc035ed0a25
2051551c6c0f18eaf3c4cf45ffe6119e582c19ae
33ac2b2d228a1ec93b0ea70ffadb436933b9a1e5
38ce2a41d59a1bf0f3332fb867f43794c39577af
4d820f671919b3029173d8659aa59600
5e7138c7ee8a1de9d041804fd11ac0ba63cb1f34
707c68257c2ea97fa4591f58be326e1308fd1106
7c7408870da2fe079aa460fe0d237e12e19cb7cb
a3254b90b2c6e12c29f7d9f538087da2d4bb7f64d003c591c8936cee7dd74b39
af68a0b9e9c58dcbdd2ede205c30537bca39650c
e9251ef1dd3ebe4f17acf0b3552e22751009c8c1
2051551c6c0f18eaf3c4cf45ffe6119e582c19ae
33ac2b2d228a1ec93b0ea70ffadb436933b9a1e5
38ce2a41d59a1bf0f3332fb867f43794c39577af
4d820f671919b3029173d8659aa59600
5e7138c7ee8a1de9d041804fd11ac0ba63cb1f34
707c68257c2ea97fa4591f58be326e1308fd1106
7c7408870da2fe079aa460fe0d237e12e19cb7cb
a3254b90b2c6e12c29f7d9f538087da2d4bb7f64d003c591c8936cee7dd74b39
af68a0b9e9c58dcbdd2ede205c30537bca39650c
e9251ef1dd3ebe4f17acf0b3552e22751009c8c1