New Kimsuky Malware "EndClient RAT": Technical Report and IOCs

SUMMARY :

A novel Remote Access Trojan (RAT) called 'EndClient RAT' has been discovered targeting North Korean Human Rights Defenders. The malware, attributed to the Kimsuky group, is delivered via a signed Microsoft Installer package disguised as 'StressClear.msi'. It uses AutoIT scripts for execution and establishes persistence through scheduled tasks and startup folder entries. The RAT communicates with a command and control server using a custom protocol with JSON markers. It has capabilities for remote shell access, file upload/download, and system information gathering. The malware employs in-memory modules for binary search, Base64 encoding/decoding, and LZMA decompression. Detection rates for this malware are currently low, making public disclosure crucial for protecting affected communities.

OPENCTI LABELS :

c2 protocol,autoit,persistence,north korea,remote access trojan,human rights defenders,endclient rat,code signing


AI COMMENTARY :

1. The recent report titled "New Kimsuky Malware 'EndClient RAT': Technical Report and IOCs" unveils a novel Remote Access Trojan (RAT) deployed by the Kimsuky threat group and specifically crafted to target North Korean Human Rights Defenders. This in-depth Threat Intel briefing highlights how the malware leverages code signing to masquerade as a legitimate application and evades detection while gathering critical intelligence on affected communities.

2. Attribution to the notorious North Korea–aligned Kimsuky group is grounded in the use of AutoIT scripts and the sequence of techniques observed during exploitation. Researchers identified a signed Microsoft Installer package named "StressClear.msi" as the primary delivery vehicle. This installer contains embedded AutoIT code that unpacks and executes the RAT payload once the user launches the file.

3. The infection chain begins with social engineering tailored to human rights defenders, convincing targets to install the seemingly innocuous StressClear tool. Upon execution, the embedded AutoIT script drops the EndClient RAT executable into a hidden directory. The script then creates a scheduled task entry and adds a shortcut in the startup folder to guarantee persistence across reboots and user sessions.

4. EndClient RAT communicates with its command and control (c2) server through a custom protocol based on JSON markers. Instead of relying on standard HTTP or DNS channels, the malware opens a TCP connection to a hard-coded c2 host and exchanges messages framed by unique JSON delimiters. This stealthy c2 protocol allows the attacker to issue commands and receive data without triggering conventional network defense alerts.

5. The RAT’s capabilities span remote shell access, file upload and download functions, and comprehensive system information gathering. To optimize performance and avoid dropping additional files to disk, the malware dynamically loads in-memory modules for binary search operations, Base64 encoding and decoding, and LZMA decompression. These techniques minimize forensic artifacts and complicate automated analysis.

6. Detection rates for EndClient RAT remain low across popular antivirus engines, underscoring the importance of timely public disclosure. Security teams should monitor scheduled tasks, startup folder entries, and unusual AutoIT script executions. Network defenders can also inspect outbound connections for custom JSON framing patterns indicative of this C2 protocol.

7. Publicly sharing the Indicators of Compromise (IOCs) and detailed behavioral analysis is critical for safeguarding human rights defenders from this emerging threat. By raising awareness and integrating detection logic into security controls, organizations can mitigate the risk posed by the EndClient RAT and protect vulnerable communities from targeted surveillance and data exfiltration.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New Kimsuky Malware "EndClient RAT": Technical Report and IOCs