Evasion at Scale: How Kong RAT Bypasses EDR and Establishes Silent Persistence

A sophisticated cyber espionage campaign, active from approximately May 2025 through March 2026, has utilized advanced Search Engine Optimization (SEO) poisoning to distribute a highly evasive Remote Access Trojan (RAT) known as Kong RAT. By masquerading as legitimate software portals for popular developer tools, threat actors have successfully compromised the workstations of Chinese-speaking IT professionals and developers.

The campaign specifically targets users searching for indispensable administrative and connectivity tools, including SSH clients like FinalShell and Xshell, as well as proxy and VPN utilities such as QuickQ VPN, Clash, and LeTV-related services. By hijacking search results, attackers funnel victims toward meticulously crafted lookalike domains that host trojanized installers designed to appear authentic.

Technical analysis by eSentire’s Threat Response Unit reveals a highly structured infrastructure. The operation relies on a cluster of spoofed domains—such as xshell-cn[.]com and finalshell-ssh[.]com—which are linked by a shared analytics certificate ID (51LA-3JTC2JD0CXBQHRSX). This commonality allows the actors to maintain a unified delivery ecosystem across disparate software categories.

Technical Analysis of the Infection Chain

The infection begins when a victim downloads a seemingly benign installer, such as finalshell-SetupX64.exe. Unlike traditional malware, this dropper is compiled using .NET 10.0 NativeAOT. This is a strategic choice: by emitting native machine code rather than standard Microsoft Intermediate Language (MSIL), the attackers effectively neutralize common reverse-engineering tools like dnSpy and ILSpy, significantly increasing the cost of analysis for security researchers.

Upon execution, the dropper performs several stealth maneuvers:

  • Privilege Escalation: The malware checks for administrative rights. If absent, it utilizes the runas verb to trigger a User Account Control (UAC) prompt, attempting to gain the elevated permissions necessary for deeper system access.
  • Payload Masquerading: It fetches a secondary payload disguised as a video file, zj.mp4, hosted on Alibaba Cloud Object Storage in the Hong Kong region. Despite the extension, this file is actually a 64-bit Windows DLL.
  • Reflective Loading: The zj.mp4 DLL is reflectively loaded into memory. Its exported run function then orchestrates the next stage, downloading further components using misleading extensions like .1×1, .d11, and .bin.
Fake xshell-cn.com and quickq-cn.com lookalike sites mimicking legitimate Chinese developer tools to deliver trojanized installers via SEO poisoning (Source : eSentire).
Fake xshell-cn.com and quickq-cn.com lookalike sites mimicking legitimate Chinese developer tools to deliver trojanized installers via SEO poisoning (Source: eSentire).

Evasion, Sideloading, and Persistence

To bypass endpoint detection and response (EDR) systems, the malware employs DLL Sideloading. It places a malicious rcdll.dll in the same directory as a legitimate, Microsoft-signed binary (rc.exe, renamed to Setupexe.exe). When the system attempts to resolve dependencies for the signed binary, it inadvertently loads the attacker’s DLL.

Inside rcdll.dll, the malware utilizes QueueUserAPC to defer execution, making the initial activity appear less suspicious. For stealthy privilege escalation, it combines PEB (Process Environment Block) masquerading—to make the process appear as explorer.exe—with a CMSTPLUA COM UAC bypass, allowing it to escalate privileges without triggering visible prompts.

Persistence is achieved through a highly technical method. Rather than using standard COM interfaces that are easily monitored, the malware makes direct RPC (Remote Procedure Call) requests via NdrClientCall3 to create a Windows Scheduled Task. These tasks follow a non-deterministic but patterned naming convention: SimpleActivityScheduleTimer{GUID}.

Windows Scheduled Task using direct RPC calls via NdrClientCall3 (Source : eSentire).
Windows Scheduled Task created via direct RPC calls (NdrClientCall3) to evade standard monitoring (Source: eSentire).

Kong RAT: Command, Control, and Capabilities

The final payload is Kong RAT, a 64-bit Windows-based Trojan. It is designed for high availability and stealth, using a mutex to ensure only one instance runs and PowerSetRequest to prevent the system from entering sleep mode, ensuring a continuous connection to the attacker.

Key Technical Specifications:

  • C2 Communication: It communicates with domains formatted as x.x-x[.]icu over TCP port 5947.
  • Custom Protocol: It utilizes a proprietary “MPK1” binary protocol featuring LZ4 compression and a 4-byte length prefix. This protocol supports complex operations, including remote shell access, file manipulation, self-destruction, and the dynamic loading of additional DLL modules.
  • Targeted Reconnaissance: The RAT specifically scans for Chinese messaging applications (WeChat, WeCom, QQ) and international platforms (Telegram, WhatsApp). It also abuses the LeTV CDN endpoint to resolve the victim’s geographic location and public IP.
Shared 51LA-3JTC2JD0CXBQHRSX analytics certificate linking domains to the same threat actor infrastructure (Source : eSentire).
Shared 51LA-3JTC2JD0CXBQHRSX analytics certificate linking multiple domains to the same threat actor infrastructure (Source: eSentire).

Defensive Recommendations

To defend against this campaign, security operations centers (SOC) should implement the following monitoring strategies:

  1. Network Monitoring: Inspect outbound traffic for unusual communication on TCP port 5947 and monitor for connections to kkwinapp.oss-cn-hongkong.aliyuncs.com. Watch for anomalous file downloads with extensions such as .1×1, .d11, or .bin originating from Alibaba Cloud.
  2. Endpoint Detection: Monitor for the creation of scheduled tasks matching the pattern SimpleActivityScheduleTimer*.
  3. File Integrity: Hunt for the presence of Setupexe.exe and rcdll.dll within user-writable directories (e.g., %LOCALAPPDATA%).
  4. Behavioral Analysis: Flag processes attempting to use NdrClientCall3 for task creation or processes exhibiting PEB masquerading to mimic explorer.exe.

Related Articles

Back to top button