Technical Analysis of kkRAT

Sept. 10, 2025, 8:40 p.m.

Description

A malware campaign targeting Chinese-speaking users has been identified, delivering three types of malware: ValleyRAT, FatalRAT, and kkRAT. The campaign uses fake installer pages to distribute the malware. kkRAT, a new Remote Access Trojan, shares similarities with Ghost RAT and Big Bad Wolf. It employs advanced evasion techniques, including sandbox detection and anti-analysis methods. The malware uses the BYOVD technique to disable antivirus and EDR systems. kkRAT's features include clipboard manipulation for cryptocurrency address replacement and deployment of remote monitoring tools. The malware's network communication protocol is similar to Ghost RAT's but with added encryption. kkRAT supports multiple plugins and commands for various malicious activities.

External References

https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat
https://otx.alienvault.com/pulse/68c1c8444a5c5767a5310a3d
Tags
valleyrat
byovd
remote access trojan
chinese-speaking
fatalrat
ghost rat
2025-09-10
kkrat
big bad wolf

Date

  • Created: Sept. 10, 2025, 6:49 p.m.
  • Published: Sept. 10, 2025, 6:49 p.m.
  • Modified: Sept. 10, 2025, 8:40 p.m.

Attack Patterns

Additional Informations

  • China