APT43 Abuses GitHub and Google Drive to Distribute KimJongRAT: A Deep Dive into the Evolving Threat Landscape + Video

Listen to this Post

Featured Image

Introduction

In May 2026, cybersecurity researchers uncovered a sophisticated attack campaign orchestrated by APT43 (also known as Kimsuky or Earth Kumiho), leveraging legitimate cloud services to distribute the infamous KimJongRAT malware. This campaign represents a significant evolution in the group’s tactics, demonstrating an increased reliance on Living Off Trusted Sites (LOTS) techniques, where attackers host malicious components on reputable platforms like GitHub Releases and Google Drive to evade detection and bypass network security controls. The multi-stage infection chain, which adapts its behavior based on the presence of Windows Defender, highlights the growing sophistication of nation-state threat actors and underscores the critical need for advanced threat hunting and detection capabilities in modern enterprise environments.

Learning Objectives

  • Understand the complete infection chain of the May 2026 KimJongRAT campaign, including the abuse of GitHub and Google Drive.
  • Analyze the malware’s adaptive execution logic based on Windows Defender status and its dynamic C2 retrieval mechanism.
  • Learn practical threat hunting techniques, including indicators of compromise (IoCs) and detection strategies for LOTS-based attacks.
  • Explore mitigation strategies, including cloud security hardening and endpoint detection configurations.

You Should Know

1. The KimJongRAT Infection Chain: A Multi-Stage Attack

The May 2026 campaign employs a complex, multi-stage infection chain designed to maximize stealth and success rates. The attack begins with a phishing email containing a shortened URL. Upon clicking, the victim is redirected to a ZIP file hosted on GitHub Releases. The ZIP file, named `tax_edoc.zip` (SHA256: e4ccb2328c06710a7f0254cb6315e1b106396b0ff525f9cf3eada6e85d285c1c), contains a malicious LNK (shortcut) file. When the victim extracts and opens the LNK file, it abuses the legitimate Windows binary `mshta.exe` to download and execute an HTA file from GitHub. This HTA file contains obfuscated VBScript that serves as the next-stage downloader.

The VBScript then connects to attacker-controlled Google Drive accounts to download additional components. Interestingly, the script first checks whether Windows Defender is running using the command sc query WinDefend. This environmental awareness determines the subsequent execution path:

  • If Windows Defender is not running: The script downloads encrypted files (user.txt and sys.log), decrypts them using AES, and executes the DLL payload via rundll32, leading to the DLL version of KimJongRAT.
  • If Windows Defender is running: The script downloads an encrypted ZIP file (pipe.log), decrypts it, extracts a PowerShell script, and executes the PowerShell version of KimJongRAT.

This adaptive behavior demonstrates the attackers’ deep understanding of common security configurations and their ability to tailor the attack accordingly. The use of legitimate services like GitHub and Google Drive for hosting malicious files allows the attackers to bypass traditional blocklisting and reputation-based security measures.

  1. Dynamic C2 Retrieval: A Game-Changer for Malware Resilience

One of the most significant evolutions in the May 2026 KimJongRAT samples is the move away from hardcoded C2 addresses. Previously, both the DLL and PowerShell versions of the malware contained static C2 server addresses within their code. In the new samples, the malware downloads an encrypted configuration file from Google Drive at runtime, decrypts it, and dynamically obtains the C2 address. This approach offers several advantages to the attacker:

  • Operational Flexibility: The attacker can change the C2 server without rebuilding and redeploying the malware, reducing operational overhead.
  • Increased Resilience: Even if a C2 server is taken down or its DDNS address becomes invalid, the same payload can continue to function by simply updating the configuration file on Google Drive.
  • Evasion of Static Detection: Security solutions that rely on static C2 address signatures become ineffective against this dynamic retrieval mechanism.

The C2 addresses observed in this campaign include `hxxps://pxqtkc.corpsecs[.]com` and `89.116.192[.]38:443` for the DLL version, and `hxxps://lutkdd.corpsecs[.]com` for the PowerShell version. This dynamic approach represents a paradigm shift in malware design, making takedown efforts significantly more challenging.

3. MeshAgent: The Backup Access Mechanism

The May 2026 campaign also introduced a novel feature: the installation of MeshAgent, a legitimate Remote Monitoring and Management (RMM) tool related to MeshCentral. The executable and configuration files for MeshAgent are stored on Google Drive in RC4-encrypted form. This functionality is believed to serve as a backup access mechanism, ensuring the attacker maintains persistent access to the compromised host even if the primary malware is quarantined by antivirus software. However, as of June 2026, the MeshCentral server (wss://googleoba.servequake[.]com:8443/agent.ashx and 104.200.67[.]46:8443) was reportedly unreachable, suggesting this may have been an experimental feature or a contingency plan that was not fully operational at the time.

4. Detection and Threat Hunting Strategies

Detecting LOTS-based attacks requires a shift in mindset from traditional signature-based approaches to behavior-based and anomaly detection. Here are some key threat hunting strategies:

  • Monitor Outbound Connections to Cloud Services: While blocking GitHub or Google Drive is impractical, organizations should monitor outbound connections to these services, especially from non-browser processes. Look for suspicious command-line arguments involving curl, powershell, or `mshta` that reference these platforms.
  • Analyze LNK File Execution: Monitor for the execution of LNK files that invoke `mshta.exe` with suspicious parameters. The command pattern `mshta.exe hxxps://github.com/…/file.hta` is a strong indicator of malicious activity.
  • Track Windows Defender Status Queries: The command `sc query WinDefend` is not commonly used in legitimate administrative tasks. Monitoring for this specific query, especially when followed by suspicious downloads, can provide early detection.
  • Decrypt and Analyze Google Drive Payloads: Security teams should be prepared to decrypt files downloaded from Google Drive using known keys. In this campaign, the AES key was `ftrgmjekglgawkxjynqrwxjvjsydxgjc` and the IV was rhmrpyihmziwkvln.
  • Implement Endpoint Detection and Response (EDR): EDR solutions can detect the behavioral patterns of this attack, such as the sequential execution of mshta, VBScript, curl, and `powershell` in a short time frame.

5. Incident Response and Mitigation

In the event of a suspected KimJongRAT infection, the following steps are recommended:

  • Isolate the Affected Host: Immediately disconnect the infected system from the network to prevent further communication with C2 servers and data exfiltration.
  • Collect Forensic Artifacts: Gather evidence, including the malicious LNK file, HTA script, downloaded payloads, and PowerShell logs. The SHA256 hashes of known malicious files are provided in the IIJ report.
  • Check for MeshAgent Installation: Look for the presence of `Taskmgr.exe` (the MeshAgent executable) in temporary folders.
  • Review Google Drive and GitHub Activity: If possible, review organizational access logs to Google Drive and GitHub to identify any unauthorized or suspicious access patterns.
  • Update Security Policies: Consider implementing application whitelisting to restrict the execution of mshta.exe, powershell.exe, and `rundll32.exe` to trusted processes only.

6. Cloud Security Hardening

Given the abuse of cloud services in this campaign, organizations should harden their cloud security posture:

  • Implement Conditional Access Policies: Restrict access to cloud services based on risk factors such as location, device compliance, and user behavior.
  • Enable Detailed Audit Logging: Ensure that audit logs for Google Drive and GitHub are enabled and monitored for suspicious activities, such as the sharing of files with external domains.
  • Use Cloud Access Security Brokers (CASBs): CASBs can provide visibility into shadow IT and enforce security policies for cloud applications.
  • Educate Users: Train employees to recognize phishing emails and avoid clicking on shortened or suspicious links, even if they appear to come from trusted sources.

What Undercode Say

  • The Evolution of LOTS: The KimJongRAT campaign is a prime example of how threat actors are increasingly leveraging legitimate services to evade detection. This trend is likely to continue, making it essential for security teams to focus on behavioral analytics and anomaly detection rather than relying solely on reputation-based blocking.
  • The Importance of Adaptive Defense: The malware’s ability to alter its execution path based on the presence of Windows Defender highlights the need for a multi-layered defense strategy. Organizations cannot rely on a single security control; they must implement a combination of endpoint, network, and cloud security measures.

The dynamic C2 retrieval mechanism is a significant advancement that complicates takedown efforts and underscores the need for proactive threat hunting. The use of MeshAgent as a backup access mechanism, even if experimental, indicates a growing trend of attackers using legitimate RMM tools for persistence. This campaign also demonstrates the resilience of APT43, as the group quickly re-established its infrastructure after the initial takedown of its GitHub repository. Organizations must remain vigilant and continuously update their defenses to counter these evolving threats. The attack also serves as a reminder that nation-state actors are investing heavily in operational security and are willing to adapt their techniques to maintain access and evade detection.

Prediction

  • -1 The increasing use of legitimate cloud services for malware delivery will make traditional security controls less effective, forcing organizations to invest in more advanced detection and response capabilities.
  • -1 The dynamic C2 retrieval mechanism will likely be adopted by other threat groups, making it more difficult for law enforcement and security researchers to disrupt malicious infrastructure.
  • +1 The disclosure of this campaign and its IoCs will enable security vendors to update their detection rules and help organizations better protect themselves against similar attacks.
  • -1 APT43’s rapid re-establishment of infrastructure after the takedown suggests that the group is highly motivated and well-resourced, indicating that this campaign is just one of many to come.
  • -1 The use of MeshAgent, even if experimental, signals a potential shift towards using legitimate RMM tools for persistence, which could be challenging to detect and mitigate.
  • +1 The detailed analysis provided by IIJ-SEC and other researchers will contribute to a better understanding of KimJongRAT and LOTS techniques, aiding in the development of more effective countermeasures.
  • -1 The sophistication of this campaign highlights the growing capabilities of nation-state threat actors and the increasing difficulty of defending against their attacks.
  • -1 The reliance on social engineering (phishing) as the initial attack vector indicates that user awareness training remains a critical, yet often overlooked, component of cybersecurity.
  • +1 The identification of specific IoCs, such as file hashes and C2 addresses, will enable organizations to proactively hunt for threats and improve their incident response capabilities.
  • -1 The use of shortened URLs in phishing emails makes it easier for attackers to obfuscate malicious links, increasing the likelihood of successful infections.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Flavioqueiroz Apt43 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky