Cybersecurity

New Endclient Rat Attacking Users By Leveraging Stolen Code-signing...

2025-11-06 0 views admin
New Endclient Rat Attacking Users By Leveraging Stolen Code-signing...

A sophisticated Remote Access Trojan labeled EndClient RAT has emerged as a significant threat targeting human rights defenders in North Korea, marking another escalation in advanced malware operations attributed to the Kimsuky threat group.

This newly discovered malware represents a concerning shift in attack sophistication, utilizing stolen code-signing certificates to evade antivirus protections and bypass Windows SmartScreen warnings.

The threat was first identified when a prominent North Korean human rights activist reported suspicious activity on her compromised account, triggering a broader investigation that uncovered the campaign’s scope and technical capabilities.

The attack chain demonstrates meticulous social engineering tactics combined with legitimate-looking delivery mechanisms.

The malware arrives through a deceptively named Microsoft Installer package titled “StressClear.msi,” which had been code-signed using stolen credentials from Chengdu Huifenghe Science and Technology Co Ltd, a Chinese mineral excavation company.

The threat actors engaged in direct, methodical conversations with targeted individuals, instructing them to download and execute the MSI file.

This approach proved effective, with at least 40 confirmed targets identified across the human rights community, though the full scope of the campaign remains unknown due to minimal antivirus detection rates.

0x0v1 security analysts and researchers noted that the malware demonstrates a blend of genuine software components alongside malicious payloads, creating an intricate deception that complicates detection and analysis.

Upon execution, the MSI bundle installs a legitimate South Korean banking authentication module called Delfino from WIZVERA VeraPort, potentially serving as a decoy to establish legitimacy.

Concurrently, the installer deploys a heavily obfuscated AutoIT script wrapped within the genuine AutoIt3.exe binary, allowing the malware to execute in memory while maintaining a low profile against security tools.

Source: Cybersecurity News

🏷️ Tags

securitymalwareattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views