Date: 09/11/2025
Severity: Medium
Summary
A malware campaign active since May 2025 has been targeting Chinese-speaking users, delivering multiple remote access trojans, including ValleyRAT, FatalRAT, and a newly identified variant dubbed kkRAT. kkRAT shares code similarities with Ghost RAT and Big Bad Wolf (大灰狼), commonly used by China-based threat actors. The analysis explores the attack chain, along with a detailed breakdown of kkRAT's core features, its network communication protocol, supported commands, and plugin architecture, highlighting its capabilities and potential threat impact.
Indicators of Compromise (IOC) List
URL/Domain | https://github.com/sw124456 https://youdaoselw.icu https://kmhhla.top/ http://key2025.oss-cn-hongkong.aliyuncs.com/2025.bin http://key2025.oss-cn-hongkong.aliyuncs.com/output.log http://key2025.oss-cn-hongkong.aliyuncs.com/trx38.zip |
IP Address | 154.44.30.27 156.238.238.111 103.199.101.3 |
Hash | 02cce1811ed8ac074b211717e404fbadffa91b0881627e090da97769f616c434
140426a92c3444d8dc5096c99fa605fd46cb788393c6522c65336d93cb53c633
181b04d6aea27f4e981e22b66a4b1ac778c5a84d48160f7f5d7c75dffd5157f8
35385ab772ebcc9df30507fd3f2a544117fb6f446437c948e84a4fdf707f8029
36e8f765c56b00c21edcd249c96e83eb6029bc9af885176eaca9893ebad5d9bd
3e5efe81a43d46c937ba27027caa2a7dc0072c8964bf8df5c1c19ed5626c1fe1
003998d12e3269286df1933c1d9f8c95ab07c74fa34e31ce563b524e22bb7401
71ca5dd59e90ec83518f9b33b2a8cdb6a0d6ad4c87293b27885fa2a8e8e07f1c
80b7c8193f287b332b0a3b17369eb7495d737b0e0b4e82c78a69fa587a6bcf91
a0f70c9350092b31ae77fc0d66efa007ccacbbc4b9355c877c1f64b29012178c
f557a90c1873eeb7f269ae802432f72cc18d5272e13f86784fdc3c38cbaca019
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://key2025.oss-cn-hongkong.aliyuncs.com/2025.bin" or siteurl like "http://key2025.oss-cn-hongkong.aliyuncs.com/2025.bin" or url like "http://key2025.oss-cn-hongkong.aliyuncs.com/2025.bin" or domainname like "https://youdaoselw.icu" or siteurl like "https://youdaoselw.icu" or url like "https://youdaoselw.icu" or domainname like "https://github.com/sw124456" or siteurl like "https://github.com/sw124456" or url like "https://github.com/sw124456" or domainname like "https://kmhhla.top/" or siteurl like "https://kmhhla.top/" or url like "https://kmhhla.top/" or domainname like "http://key2025.oss-cn-hongkong.aliyuncs.com/output.log" or siteurl like "http://key2025.oss-cn-hongkong.aliyuncs.com/output.log" or url like "http://key2025.oss-cn-hongkong.aliyuncs.com/output.log" or domainname like "http://key2025.oss-cn-hongkong.aliyuncs.com/trx38.zip" or siteurl like "http://key2025.oss-cn-hongkong.aliyuncs.com/trx38.zip" or url like "http://key2025.oss-cn-hongkong.aliyuncs.com/trx38.zip" |
Detection Query 2 : | dstipaddress IN ("154.44.30.27","156.238.238.111","103.199.101.3") or srcipaddress IN ("154.44.30.27","156.238.238.111","103.199.101.3") |
Detection Query 3 : | sha256hash IN ("80b7c8193f287b332b0a3b17369eb7495d737b0e0b4e82c78a69fa587a6bcf91","71ca5dd59e90ec83518f9b33b2a8cdb6a0d6ad4c87293b27885fa2a8e8e07f1c","a0f70c9350092b31ae77fc0d66efa007ccacbbc4b9355c877c1f64b29012178c","35385ab772ebcc9df30507fd3f2a544117fb6f446437c948e84a4fdf707f8029","02cce1811ed8ac074b211717e404fbadffa91b0881627e090da97769f616c434","140426a92c3444d8dc5096c99fa605fd46cb788393c6522c65336d93cb53c633","181b04d6aea27f4e981e22b66a4b1ac778c5a84d48160f7f5d7c75dffd5157f8","36e8f765c56b00c21edcd249c96e83eb6029bc9af885176eaca9893ebad5d9bd","3e5efe81a43d46c937ba27027caa2a7dc0072c8964bf8df5c1c19ed5626c1fe1","003998d12e3269286df1933c1d9f8c95ab07c74fa34e31ce563b524e22bb7401","f557a90c1873eeb7f269ae802432f72cc18d5272e13f86784fdc3c38cbaca019")
|
Reference:
https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat