Cybersecurity Alert: New Malware Campaign Exploits Fake Download Sites to Spread Kong RAT
In a significant cybersecurity breach, hackers have been found exploiting counterfeit download sites for widely-used software tools like FinalShell and Xshell to distribute a new remote access trojan (RAT) dubbed Kong RAT. This meticulously orchestrated campaign has reportedly been active from May 2025 until at least March 2026, targeting primarily Chinese-speaking developers and IT administrators.
The attackers employed a strategy known as search engine poisoning, artificially manipulating search results to direct users searching for legitimate software—such as FinalShell, Xshell, QuickQ VPN, Clash proxy, and various LeTV-related VPNs—towards fraudulent websites that host malicious installers. The deceptive domains cleverly imitate authentic Chinese software portals, luring unwary developers into believing they are downloading safe and reputable server management and VPN tools. Instead, these downloads activate a multi-stage infection process that culminates in the deployment of the Kong RAT on Windows systems.
The operation utilizes a network of spoofed domains, including xshell-cn[.]com and finalshell-ssh[.]com, all registered with providers based in Hong Kong. These domains are interconnected through a shared analytics certificate ID, 51LA-3JTC2JD0CXBQHRSX, which further suggests a deliberate and coordinated effort by the threat actors.
In March 2026, eSentire’s Threat Response Unit uncovered this advanced malware campaign while scrutinizing the methods employed to ensnare its victims. For instance, the counterfeit FinalShell page at finalshell-ssh[.]com is presented entirely in Simplified Chinese, displaying what appear to be authentic screenshots of FinalShell version 4.2.4. However, deceptive download buttons for both "Windows" and "Mac" versions actually link to a single Windows-only malware installer named finalshell-SetupX64.exe.
In addition to FinalShell, other counterfeit sites targeting users of QuickQ VPN and Clash also leverage the same infrastructure and the shared analytics certificate. Some notable domains include quickq-cn[.]com and clash-cn[.]com, which follow identical techniques to distribute trojanized installers.
Upon downloading from these fraudulent platforms, victims unwittingly receive a Setup.exe dropper. This dropper is compiled with .NET 10.0 NativeAOT, a strategic decision intended to thwart traditional reverse-engineering tools like dnSpy and ILSpy by emitting native machine code rather than Microsoft Intermediate Language (MSIL). Intriguingly, the included Programmers Database (PDB) path reveals the name “52pojie,” a reference to a well-known Chinese cracking forum, hinting at the potential identity of a Chinese-speaking developer—or possibly a feigned clue to mislead investigators.
Once executed, the dropper verifies if it has administrator rights. If these rights are insufficient, the malicious program will prompt for elevation by relaunching itself with a new command, which triggers a User Account Control (UAC) prompt before fetching the next payload. This payload masquerades itself as a file named zj.mp4, sourced from Alibaba Cloud’s Object Storage service within the Hong Kong region.
Despite the file’s .mp4 extension, zj.mp4 is, in reality, a 64-bit Windows Dynamic Link Library (DLL) that’s secretly loaded into memory. Its exported function orchestrates subsequent stages of the attack. This includes the generation of additional download URLs from a domain tied to Alibaba Cloud, using misleading extensions like .1×1, .d11, and .bin. The malware then stores files in the user’s LOCALAPPDATA directory, obscuring them with both HIDDEN and SYSTEM attributes to evade casual detection.
In terms of operational tactics, the malware employs dynamic link library (DLL) sideloading by placing a malicious rcdll.dll next to a legitimate, Microsoft-signed binary (Setupexe.exe), ensuring Windows prioritizes loading the attacker’s DLL. This enables the threat actor to proceed undetected while simultaneously targeting popular Chinese development and networking tools such as FinalShell, Xshell, QuickQ, Clash, and LeTV.
The rcdll.dll file implements a delay in execution using the QueueUserAPC mechanism. Should it need to elevate its privileges covertly, the malware employs process environment block (PEB) masquerading techniques to make itself appear as if it were a legitimate Windows service (specifically, explorer.exe). Additionally, it utilizes a COM-based method to bypass visible UAC prompts, enhancing its stealth capabilities.
Furthermore, the shellcode is retrieved from a configuration file disguised as oob.xml, but in actuality, this file contains x64 shellcode followed by an embedded Portable Executable (PE), enabling it to evade common detection methods employed by endpoint detection and response (EDR) products.
As a final stage in the attack, the malware establishes a Windows Scheduled Task identified as "SimpleActivityScheduleTimer{GUID}" using direct remote procedure calls (RPC). This bypasses conventional Task Scheduler interfaces, assuring persistence via a reliably patterned task name.
The primary payload, Kong RAT, enforces single-instance execution via a mutex, prevents system sleep through a specific PowerSetRequest function, and initiates a configurable keylogger unless overridden by environmental variables. Communication with Command and Control (C2) is conducted over TCP port 5947, employing a custom protocol for remote shell commands, file operations, and more, all tailored to function primarily in Chinese-speaking environments.
For further safety, cybersecurity defenders are advised to monitor traffic directed towards the identified malicious domains and server. They should also remain vigilant for unusual file downloads with misleading extensions from Alibaba Cloud storage and check for scheduled tasks starting with “SimpleActivityScheduleTimer” linked to possible Kong RAT activities. The presence of the installer Setup.exe and the rcdll.dll in user profiles, alongside traffic indicating custom MPK1 headers, may strongly indicate an ongoing compromise linked to Kong RAT.
As the cybersecurity landscape continues to evolve, the emergence of such sophisticated tactics highlights the importance of constant vigilance and updated defense mechanisms to protect against potential threats.