Multi-Stage SEO Poisoning Campaign Targets Chinese-Speaking Developers with Kong RAT

Kong RAT is a multi-stage remote access trojan campaign that used SEO poisoning to lure Chinese-speaking developers to trojanized installers hosted on Alibaba Cloud OSS, then progressed through a NativeAOT dropper, in-memory DLLs, DLL sideloading of a Microsoft-signed binary, shellcode execution, and a modular TCP C2 framework. The malware implements sophisticated evasion and persistence techniques (PEB masquerading + CMSTPLUA UAC bypass, EnumWindows callback shellcode, scheduled task RPC creation) and harvests telemetry including victim geolocation via the LeTV CDN. #KongRAT #FinalShell

Keypoints

Initial access via SEO poisoning: lookalike Chinese-language download sites (FinalShell, Xshell, QuickQ, Clash) redirect victims to trojanized installers served from Alibaba Cloud OSS (oss-cn-hongkong.aliyuncs.com).
The initial dropper (Setup.exe) is compiled with .NET 10.0 NativeAOT to hinder standard .NET analysis and contains a PDB path referencing username “52pojie”.
The campaign uses a six-stage chain: SEO poisoning → NativeAOT dropper → in-memory DLL orchestrator → DLL sideloading into a Microsoft-signed binary → shellcode loader → Kong RAT embedded EXE.
Privilege escalation and evasion techniques include a UAC elevation prompt via ShellExecute(“runas”), a silent COM UAC bypass using the CMSTPLUA elevation moniker with PEB masquerading as explorer.exe, and execution via EnumWindows callback to avoid CreateThread detection.
Persistence is achieved through scheduled tasks created via direct RPC (NdrClientCall3) with a consistent name prefix SimpleActivityScheduleTimer_{GUID}; configuration and session state are stored under HKCUSoftwareKongClient keys.
Kong RAT implements a GetAsyncKeyState-based keylogger (writes to C:ProgramDataKongKeylogger), modular remote plugin loading via a custom MPK1 TCP protocol over port 5947 with LZ4 compression, and remote commands for plugin management, remote execution, and migration of C2.
Operational telemetry includes security product enumeration via WMI and victim geolocation harvested by impersonating a LeTV media client to query g3.letv.com/r?format=1.

MITRE Techniques

[T1189 ] Drive-by Compromise – SEO poisoning was used to position malicious lookalike sites above legitimate results and deliver trojanized installers (‘targeting Chinese-speaking developers and IT professionals through Search engine optimization (SEO) poisoning’).
[T1204 ] User Execution – Victim action to download and run installer is required for initial access (‘Initial access is achieved when victims download trojanized software installers from seemingly legitimate websites’).
[T1548 ] Abuse Elevation Control Mechanism – Silent UAC bypass using the CMSTPLUA COM elevation moniker combined with PEB masquerading to obtain elevated privileges (‘silent UAC bypass using the CMSTPLUA COM elevation moniker ({3E5FC7F9-9A51-4367-9063-A120244FBEC7}) combined with PEB masquerading as explorer.exe – requiring no user interaction’).
[T1053.005 ] Scheduled Task/Job – Persistence via creation of scheduled tasks using direct RPC calls bypassing Task Scheduler COM interfaces (‘Persistence is achieved via Windows Scheduled Task created through direct RPC (NdrClientCall3) bypassing standard Task Scheduler COM interfaces’).
[T1574.001 ] DLL Side-Loading – The campaign places a malicious rcdll.dll alongside a legitimate signed Microsoft binary (rc.exe) to force loading of the malicious DLL (‘DLL sideloading via legitimate signed Microsoft binary’).
[T1055 ] Process Injection – Reflective PE loading and in-memory execution plus use of EnumWindows callback to run shellcode, avoiding typical thread creation APIs (‘Reflective PE loader’ and ‘Shellcode execution is performed via EnumWindows callback, avoiding CreateThread/CreateRemoteThread calls commonly monitored by security products’).
[T1027 ] Obfuscated Files or Information – Use of .NET 10.0 NativeAOT compilation and stack string obfuscation to evade analysis and deobfuscate API names at runtime (‘compiled using .NET 10.0 NativeAOT, a deliberate choice to defeat standard .NET reverse engineering tools …’ and ‘stack string obfuscation’).
[T1056.001 ] Input Capture: Keylogging – Local keystroke capture via GetAsyncKeyState and storage to persistent logs (‘Kong RAT implements a GetAsyncKeyState-based keylogger, logging keystrokes to C:ProgramDataKongKeylogger’).
[T1047 ] Windows Management Instrumentation – Use of WMI queries to enumerate installed security products for victim profiling (‘Security product enumeration is performed via WMI (SELECT displayName FROM AntiVirusProduct against ROOTSecurityCenter2)’).
[T1071 ] Application Layer Protocol – Custom TCP-based C2 with a bespoke MPK1 packet header and LZ4 compression over TCP port 5947 (‘Primary C2 communication uses TCP to x.x-x[.]icu:5947 … custom binary protocol using “MPK1” … LZ4 block compression’).
[T1112 ] Modify Registry – Malware stores persistent configuration, plugin cache and C2 session data under HKCU keys (e.g., LoginPermanent, ClientPlugins) (‘persisting the new server address to HKCUSoftwareKongClientLoginPermanent’ and ‘HKCUSoftwareKongClientPlugins’).

Indicators of Compromise

[Domain ] SEO-poisoned fake download and campaign infrastructure – finalshell-ssh.com, xshell-cn.com (and other lookalike domains such as quickq-cn.com, clash-cn.com).
[Cloud OSS URL ] Payload hosting and C2 telemetry endpoints – kkwinapp.oss-cn-hongkong.aliyuncs.com/dow/zj.mp4, kkwinapp.oss-cn-hongkong.aliyuncs.com/dow/upload?log= (Alibaba Cloud OSS Hong Kong region).
[IP Address ] C2 infrastructure – 45.192.208.126 (resolves to Antbox Networks Limited, Hong Kong) used for x.x-x[.]icu:5947 C2 connectivity.
[File Hashes ] Notable sample hashes for detection/context – Setup.exe SHA256 D6620D753E746E63B59E1E47943BE5093F24FD3F82E994115CADEEA3720F1AEA, rcdll.dll SHA256 2B7D31A83FF817BE7BDD6E9CF92DEA438CA97DC93EA84CBF048F8656F7DD57DD (and 4 more hashes including zj.mp4, oob.xml, embedded EXE).
[File Names ] Dropped and on-disk filenames observed – Setupexe.exe (legitimate rc.exe binary used for sideloading), rcdll.dll, oob.xml (zj.bin saved as oob.xml).
[Registry Keys ] C2/config/session storage locations – HKCUSoftwareKongClientLoginPermanent, HKCUSoftwareKongClientPlugins (used for persistent C2 config and plugin cache).
[Scheduled Task ] Persistence task naming pattern – SimpleActivityScheduleTimer_{GUID} (tasks created via RPC to persist execution).
[File Paths ] Installation and log locations – %LOCALAPPDATA%ProgramsBvasted (installation directory), C:ProgramDataKongKeylogger.txt (keylogger logs).
[Network Port ] C2 communication port – TCP port 5947 (used by Kong RAT MPK1 protocol to x.x-x[.]icu).