In early May 2025, cybersecurity researchers began tracking a novel Remote Access Trojan (RAT) targeting Chinese-speaking users via phishing sites hosted on GitHub Pages.
Masked as legitimate installers for popular applications, the initial ZIP archives contained malicious executables engineered to bypass sandbox and virtual machine defenses.
Once executed, the first-stage shellcode performs time stability analysis using QueryPerformanceCounter and examines hardware configurations—disk space and CPU cores—to identify analysis environments and terminate if suspicions arise.
Attack chain (Source – Zscaler)
This meticulous evasion strategy ensures that kkRAT rarely triggers alerts during automated detonation.
Over the next stages, kkRAT deploys advanced anti-analysis techniques, dynamically resolving Windows API functions through single-byte XOR obfuscation and decrypting subsequent shellcodes with simple XOR transforms.
In the second stage, the malware unloads and disables network adapters to sever AV/EDR communications, enumerates processes associated with Chinese security vendors, and employs a vulnerable driver (RTCore64.sys) to remove registered callbacks from kernel-mode defenses.
Zscaler analysts noted that kkRAT even alters registry values for 360 Total Security to disable network checks and schedules tasks under SYSTEM privileges to repeatedly kill protection processes upon user logon.
By the third stage, kkRAT retrieves a heavily obfuscated shellcode named 2025.bin from hardcoded URLs, decodes Base64-encoded instructions in output.log, and selects download URLs based on the victim process’s filename.
The extracted archives contain legitimate executables sideloaded with malicious DLLs that decrypt the final payload—kkRAT itself—using a six-byte XOR key at offset 0xD3000.
Zscaler researchers identified this seamless use of sideloading to deploy multiple RAT variants, including ValleyRAT and FatalRAT, but the newly discovered kkRAT blended features from both Ghost RAT and Big Bad Wolf.
In its operation, kkRAT establishes a TCP connection to its command-and-control server, compresses data via zlib, and applies an additional XOR-based encryption layer.
Phishing page impersonating Ding Talk (Source – Zscaler)
A sample Python snippet used to decrypt captured traffic demonstrates this two-phase process:-
import zlib
def decrypt_packet(data, key):
compressed = bytes(b ^ key for b in data)
return zlib.decompress(compressed)
Infection Mechanism
Upon execution of the sideloaded DLL, kkRAT reads its encrypted configuration—C2 IP, port, version, and group identifier—and constructs a REGISTRATIONINFO struct containing detailed device fingerprints such as OS version, CPU frequency, memory size, installed antivirus signatures, and the presence of messaging applications.
This thorough profile allows attackers to prioritize high-value targets. Uniquely, kkRAT inspects the clipboard for cryptocurrency wallet addresses (Bitcoin, Ethereum, Tether) and replaces them with attacker-controlled addresses via the 0x4D command, a tactic designed to hijack transactions silently.
Once persistence is established through startup folder shortcuts or registry run keys, kkRAT remains resident, awaiting further instructions to load plugins—ranging from remote desktop management to process termination—and relay network traffic through Go-based SOCKS5 proxies.
Through its layered encryption, sophisticated anti-analysis checks, and financial theft capabilities, kkRAT represents a significant evolution in commodity RAT toolkits, underscoring the persistent threat of supply-chain style malware delivery.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post kkRAT Employs Network Communication Protocol to Steal Clipboard Contents appeared first on Cyber Security News.
