KimJongRAT Continues to Evolve by Leveraging LOTS
In May 2026, security researchers observed an attack campaign distributing KimJongRAT through GitHub and other legitimate services. KimJongRAT, used by the North Korean APT group Kimsuky since 2013, combines information stealing and remote access capabilities. The infection chain begins with phishing emails containing shortened URLs redirecting to GitHub Releases hosting malicious ZIP files. Victims execute LNK files that download HTA files from GitHub, which then retrieve subsequent payloads from Google Drive. Recent variants demonstrate significant evolution: they now dynamically fetch C2 addresses from external sources rather than hardcoding them, enabling operators to maintain persistent access despite infrastructure takedowns. Additionally, new versions include MeshAgent RMM installation for redundant access. The campaign exemplifies Living Off Trusted Sites (LOTS) techniques, abusing legitimate platforms like GitHub, Google Drive, and Dropbox to evade detection.
AI Analysis
Technical Summary
KimJongRAT, a malware linked to the North Korean APT group Kimsuky, continues to evolve as of May 2026. The malware combines information stealing and remote access capabilities. The infection vector starts with phishing emails containing shortened URLs that redirect to GitHub Releases hosting malicious ZIP files. Execution of LNK files leads to downloading HTA files from GitHub, which then fetch additional payloads from Google Drive. Recent variants no longer hardcode C2 addresses but dynamically retrieve them from external sources, allowing operators to maintain persistent access even if infrastructure is taken down. Additionally, the malware now installs MeshAgent RMM software to ensure redundant remote access. This campaign exemplifies LOTS techniques by leveraging trusted platforms such as GitHub, Google Drive, and Dropbox to bypass traditional detection methods. Indicators include multiple IPs, domains, URLs, and file hashes associated with the campaign. There is no CVE or patch available since this is malware distribution rather than a software vulnerability.
Potential Impact
The malware enables attackers to steal information and maintain remote access to compromised systems. The dynamic retrieval of C2 addresses and installation of MeshAgent RMM increase the persistence and resilience of the threat actor's access. The use of legitimate platforms for hosting payloads complicates detection and mitigation efforts. The campaign targets victims via phishing and abuses trusted sites, increasing the likelihood of successful infection. The impact includes potential data exfiltration, system compromise, and long-term unauthorized access.
Mitigation Recommendations
No official patch or fix is applicable as this is malware, not a software vulnerability. Defenders should focus on user awareness to prevent phishing infections, block known malicious indicators such as IP addresses, domains, URLs, and file hashes associated with this campaign, and monitor for execution of LNK and HTA files originating from untrusted sources. Network controls should restrict access to suspicious domains and URLs identified in the indicators. Endpoint detection and response (EDR) solutions should be tuned to detect behaviors related to KimJongRAT and MeshAgent installation. Since the malware uses LOTS techniques leveraging trusted platforms, defenders should apply enhanced scrutiny to downloads from GitHub Releases, Google Drive, and similar services. There is no vendor advisory or patch; remediation relies on detection and prevention controls.
Affected Countries
Japan
Indicators of Compromise
- ip: 104.200.67.46
- domain: lutkdd.corpsecs.com
- domain: pxqtkc.corpsecs.com
- hash: 9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470
- hash: 221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9
- url: http://googleoba.servequake.com:8443/agent.ashx
- domain: googleoba.servequake.com
- url: https://lutkdd.corpsecs.com
- hash: 107b5aa3c4ef30b9b832e0a10b1efb1dcf433158bc6af8d890d66c0c9ed50d21
- hash: e4ccb2328c06710a7f0254cb6315e1b106396b0ff525f9cf3eada6e85d285c1c
- url: https://pxqtkc.corpsecs.com
KimJongRAT Continues to Evolve by Leveraging LOTS
Description
In May 2026, security researchers observed an attack campaign distributing KimJongRAT through GitHub and other legitimate services. KimJongRAT, used by the North Korean APT group Kimsuky since 2013, combines information stealing and remote access capabilities. The infection chain begins with phishing emails containing shortened URLs redirecting to GitHub Releases hosting malicious ZIP files. Victims execute LNK files that download HTA files from GitHub, which then retrieve subsequent payloads from Google Drive. Recent variants demonstrate significant evolution: they now dynamically fetch C2 addresses from external sources rather than hardcoding them, enabling operators to maintain persistent access despite infrastructure takedowns. Additionally, new versions include MeshAgent RMM installation for redundant access. The campaign exemplifies Living Off Trusted Sites (LOTS) techniques, abusing legitimate platforms like GitHub, Google Drive, and Dropbox to evade detection.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
KimJongRAT, a malware linked to the North Korean APT group Kimsuky, continues to evolve as of May 2026. The malware combines information stealing and remote access capabilities. The infection vector starts with phishing emails containing shortened URLs that redirect to GitHub Releases hosting malicious ZIP files. Execution of LNK files leads to downloading HTA files from GitHub, which then fetch additional payloads from Google Drive. Recent variants no longer hardcode C2 addresses but dynamically retrieve them from external sources, allowing operators to maintain persistent access even if infrastructure is taken down. Additionally, the malware now installs MeshAgent RMM software to ensure redundant remote access. This campaign exemplifies LOTS techniques by leveraging trusted platforms such as GitHub, Google Drive, and Dropbox to bypass traditional detection methods. Indicators include multiple IPs, domains, URLs, and file hashes associated with the campaign. There is no CVE or patch available since this is malware distribution rather than a software vulnerability.
Potential Impact
The malware enables attackers to steal information and maintain remote access to compromised systems. The dynamic retrieval of C2 addresses and installation of MeshAgent RMM increase the persistence and resilience of the threat actor's access. The use of legitimate platforms for hosting payloads complicates detection and mitigation efforts. The campaign targets victims via phishing and abuses trusted sites, increasing the likelihood of successful infection. The impact includes potential data exfiltration, system compromise, and long-term unauthorized access.
Mitigation Recommendations
No official patch or fix is applicable as this is malware, not a software vulnerability. Defenders should focus on user awareness to prevent phishing infections, block known malicious indicators such as IP addresses, domains, URLs, and file hashes associated with this campaign, and monitor for execution of LNK and HTA files originating from untrusted sources. Network controls should restrict access to suspicious domains and URLs identified in the indicators. Endpoint detection and response (EDR) solutions should be tuned to detect behaviors related to KimJongRAT and MeshAgent installation. Since the malware uses LOTS techniques leveraging trusted platforms, defenders should apply enhanced scrutiny to downloads from GitHub Releases, Google Drive, and similar services. There is no vendor advisory or patch; remediation relies on detection and prevention controls.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://sect.iij.ad.jp/blog/2026/06/continuous-evolution-of-kimjongrat-2026/"]
- Adversary
- Kimsuky
- Pulse Id
- 6a3cb7a3c8dfa3feec75cb80
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip104.200.67.46 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainlutkdd.corpsecs.com | — | |
domainpxqtkc.corpsecs.com | — | |
domaingoogleoba.servequake.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470 | — | |
hash221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9 | — | |
hash107b5aa3c4ef30b9b832e0a10b1efb1dcf433158bc6af8d890d66c0c9ed50d21 | — | |
hashe4ccb2328c06710a7f0254cb6315e1b106396b0ff525f9cf3eada6e85d285c1c | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://googleoba.servequake.com:8443/agent.ashx | — | |
urlhttps://lutkdd.corpsecs.com | — | |
urlhttps://pxqtkc.corpsecs.com | — |
Threat ID: 6a3d50bf4853345fc128f443
Added to database: 06/25/2026, 16:01:03 UTC
Last enriched: 06/25/2026, 16:15:57 UTC
Last updated: 06/25/2026, 23:22:13 UTC
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.