kkRAT Uses Network Protocols to Exfiltrate Clipboard Data

Zscaler ThreatLabz researchers have uncovered a sophisticated malware campaign targeting Chinese-speaking users since early May 2025 that delivers multiple Remote Access Trojans (RATs), including a newly discovered family dubbed kkRAT.

Leveraging phishing sites hosted on GitHub Pages, attackers impersonate legitimate software installers to drop malicious ZIP archives.

These archives contain a benign executable alongside a malicious DLL that sideloads the final payload, either ValleyRAT, FatalRAT, or kkRAT, depending on the attack instance.

Sophisticated Multi-Stage Attack Chain

The campaign’s attack chain begins with phishing pages mimicking popular applications such as Ding Talk. Victims download a ZIP file containing a staged executable, which first performs rigorous sandbox and virtualization checks.

Using QueryPerformanceCounter, the malware measures time stability against a tight threshold and inspects disk space (≥50 GB) and CPU core counts (≥2 cores) to detect virtual machines. If anomalies are detected, it corrupts its Process Environment Block entries to evade analysis before terminating execution.

Upon passing initial checks, the first-stage loader dynamically resolves Windows API functions via single-byte XOR deobfuscation, decrypts next-stage shellcode with another XOR routine, allocates memory, and executes shellcode directly in memory using pe_to_shellcode transformation logic.

The second stage elevates privileges, disables network adapters to sever AV/EDR vendor communication, and scans for processes from Chinese security vendors (e.g., 360 Total Security, QQ电脑管家).

If detected, it exploits the RTCore64.sys driver vulnerability (CVE-2019-16098) and borrows code from RealBlindingEDR to remove registered system callbacks ObRegister, MiniFilter, and CmRegister, crippling kernel-level defenses.

It then deletes targeted AV/EDR files, creates a SYSTEM-level scheduled task for persistence, and modifies registry entries to inhibit 360 Total Security’s network checks.

After re-enabling network adapters, the second-stage shellcode fetches heavily obfuscated third-stage shellcode from a hardcoded URL. This downloader retrieves a Base64-encoded instruction file containing 62 records, each specifying two URLs for ZIP archives.

One archive (trx38.zip) holds a legitimate executable and a malicious DLL, while the other contains the encrypted final payload.

The malware selects the appropriate record based on the last character of its process name, unpacks the payload, creates a startup shortcut to maintain persistence, and sideloads the malicious DLL to decrypt the final RAT.

kkRAT’s Network Protocol and Clipboard Hijacking

kkRAT’s network communication protocol mirrors that of Ghost RAT but adds an additional XOR-based encryption layer after zlib compression.

Upon connecting to its C2 server, kkRAT sends a structured registration message containing a hardcoded token, OS version, CPU metrics, memory and disk capacity, installed AV products, presence of web cameras, uptime, and details on popular messaging applications (Telegram, WeChat, QQ).

The RAT then awaits commands, supporting over 50 command IDs that invoke plugin exports or perform native actions, including remote shell execution, screen capture, process management, and crypto-hijacking.

Clipboard exfiltration commands (0x4D and 0x4E) scan for cryptocurrency addresses (Bitcoin, Ethereum, Tether) in the clipboard and replace them with attacker-controlled wallets; command 0x4F disables this behavior.

Additional commands deploy or interact with RMM tools GotoHTTP (0x4B) and Sunlogin (0x4C) and proxy network traffic through SOCKS5 (fnProxy subcommands) or custom Go-based proxies (ConnSocks via PlugProxy.dll), enabling attackers to bypass network defenses and VPN restrictions.

This multifaceted functionality demonstrates kkRAT’s evolution into a versatile espionage and financial fraud tool capable of stealthy persistence, robust defense evasion, and powerful exfiltration techniques.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates