{ "name": "New Kimsuky Malware \"EndClient RAT\": Technical Report and IOCs", "slug": "new-kimsuky-malware-endclient-rat-technical-report-and-iocs", "description": "A novel Remote Access Trojan (RAT) called 'EndClient RAT' has been discovered targeting North Korean Human Rights Defenders. The malware, attributed to the Kimsuky group, is delivered via a signed Microsoft Installer package disguised as 'StressClear.msi'. It uses AutoIT scripts for execution and establishes persistence through scheduled tasks and startup folder entries. The RAT communicates with a command and control server using a custom protocol with JSON markers. It has capabilities for remote shell access, file upload/download, and system information gathering. The malware employs in-memory modules for binary search, Base64 encoding/decoding, and LZMA decompression. Detection rates for this malware are currently low, making public disclosure crucial for protecting affected communities.", "published": "2025-11-07T08:08:22+00:00", "created_at": "2025-11-07T08:08:22+00:00", "modified_at": "2025-11-07T09:10:47+00:00", "created_at_opencti": "2025-11-07T08:08:22+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-11-07", "autoit", "c2 protocol", "code-signing", "endclient rat", "human rights defenders", "north korea", "persistence", "remote access trojan" ], "related_entities": { "observables": [ { "id": "", "name": "dfad5a2324e4bde8ba232d914fcea4c7c765992951eb933264fe1a2aaa8da164" }, { "id": "", "name": "bcdd8a213cf6986bad4bb487fe1bf798e159d32fd3a88b4e8d2945403d1c428d" }, { "id": "", "name": "7107c110e4694f50a39a91f8497b9f0e88dbe6a3face0d2123a89bcebf241a1d" } ], "malware": [ { "id": "legacy:malware:7d7731d71718f37d", "name": "EndClient RAT", "slug": "endclient-rat" } ], "intrusion_sets": [ { "id": "294d962a-b24e-446b-8e2d-3706cb1316b3", "name": "Kimsuky", "slug": "kimsuky" } ], "others": [ { "id": "", "name": "NGO" } ] }, "external_refs": [] }