Evasion at Scale: How Kong RAT Bypasses EDR and Establishes Silent Persistence
A sophisticated cyber espionage campaign, active from approximately May 2025 through March 2026, has utilized advanced Search Engine Optimization (SEO) poisoning to distribute a highly evasive Remote Access Trojan (RAT) known as Kong RAT. By masquerading as legitimate software portals for popular developer tools, threat actors have successfully compromised the workstations of Chinese-speaking IT professionals and developers.
The campaign specifically targets users searching for indispensable administrative and connectivity tools, including SSH clients like FinalShell and Xshell, as well as proxy and VPN utilities such as QuickQ VPN, Clash, and LeTV-related services. By hijacking search results, attackers funnel victims toward meticulously crafted lookalike domains that host trojanized installers designed to appear authentic.
Technical analysis by eSentire’s Threat Response Unit reveals a highly structured infrastructure. The operation relies on a cluster of spoofed domains—such as xshell-cn[.]com and finalshell-ssh[.]com—which are linked by a shared analytics certificate ID (51LA-3JTC2JD0CXBQHRSX). This commonality allows the actors to maintain a unified delivery ecosystem across disparate software categories.
Technical Analysis of the Infection Chain
The infection begins when a victim downloads a seemingly benign installer, such as finalshell-SetupX64.exe. Unlike traditional malware, this dropper is compiled using .NET 10.0 NativeAOT. This is a strategic choice: by emitting native machine code rather than standard Microsoft Intermediate Language (MSIL), the attackers effectively neutralize common reverse-engineering tools like dnSpy and ILSpy, significantly increasing the cost of analysis for security researchers.
Upon execution, the dropper performs several stealth maneuvers:
- Privilege Escalation: The malware checks for administrative rights. If absent, it utilizes the
runasverb to trigger a User Account Control (UAC) prompt, attempting to gain the elevated permissions necessary for deeper system access. - Payload Masquerading: It fetches a secondary payload disguised as a video file,
zj.mp4, hosted on Alibaba Cloud Object Storage in the Hong Kong region. Despite the extension, this file is actually a 64-bit Windows DLL. - Reflective Loading: The
zj.mp4DLL is reflectively loaded into memory. Its exportedrunfunction then orchestrates the next stage, downloading further components using misleading extensions like.1×1,.d11, and.bin.

Evasion, Sideloading, and Persistence
To bypass endpoint detection and response (EDR) systems, the malware employs DLL Sideloading. It places a malicious rcdll.dll in the same directory as a legitimate, Microsoft-signed binary (rc.exe, renamed to Setupexe.exe). When the system attempts to resolve dependencies for the signed binary, it inadvertently loads the attacker’s DLL.
Inside rcdll.dll, the malware utilizes QueueUserAPC to defer execution, making the initial activity appear less suspicious. For stealthy privilege escalation, it combines PEB (Process Environment Block) masquerading—to make the process appear as explorer.exe—with a CMSTPLUA COM UAC bypass, allowing it to escalate privileges without triggering visible prompts.
Persistence is achieved through a highly technical method. Rather than using standard COM interfaces that are easily monitored, the malware makes direct RPC (Remote Procedure Call) requests via NdrClientCall3 to create a Windows Scheduled Task. These tasks follow a non-deterministic but patterned naming convention: SimpleActivityScheduleTimer{GUID}.

Kong RAT: Command, Control, and Capabilities
The final payload is Kong RAT, a 64-bit Windows-based Trojan. It is designed for high availability and stealth, using a mutex to ensure only one instance runs and PowerSetRequest to prevent the system from entering sleep mode, ensuring a continuous connection to the attacker.
Key Technical Specifications:
- C2 Communication: It communicates with domains formatted as
x.x-x[.]icuover TCP port 5947. - Custom Protocol: It utilizes a proprietary “MPK1” binary protocol featuring LZ4 compression and a 4-byte length prefix. This protocol supports complex operations, including remote shell access, file manipulation, self-destruction, and the dynamic loading of additional DLL modules.
- Targeted Reconnaissance: The RAT specifically scans for Chinese messaging applications (WeChat, WeCom, QQ) and international platforms (Telegram, WhatsApp). It also abuses the LeTV CDN endpoint to resolve the victim’s geographic location and public IP.

Defensive Recommendations
To defend against this campaign, security operations centers (SOC) should implement the following monitoring strategies:
- Network Monitoring: Inspect outbound traffic for unusual communication on TCP port 5947 and monitor for connections to
kkwinapp.oss-cn-hongkong.aliyuncs.com. Watch for anomalous file downloads with extensions such as.1×1,.d11, or.binoriginating from Alibaba Cloud. - Endpoint Detection: Monitor for the creation of scheduled tasks matching the pattern
SimpleActivityScheduleTimer*. - File Integrity: Hunt for the presence of
Setupexe.exeandrcdll.dllwithin user-writable directories (e.g.,%LOCALAPPDATA%). - Behavioral Analysis: Flag processes attempting to use
NdrClientCall3for task creation or processes exhibiting PEB masquerading to mimicexplorer.exe.