Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” Our analysis of infrastructure used in the campaign reveals additional links to the UAT-5394 infrastructure and new tactics, techniques and procedures (TTPs) of the threat actor.
In a recent report, AhnLab disclosed a spear-phishing campaign employing the use of an early variant of XenoRAT, an open-source RAT family, which evolved into what we track as “MoonPeak.”
This cluster of activity has some overlaps in TTPs and infrastructure patterns with the North Korean state-sponsored group “Kimsuky,” however, we do not have substantial technical evidence to link this campaign with the APT.
Since Kimsuky has been rapidly evolving and upgrading their infrastructure and tooling since 2024, the development and usage of a new RAT in this specific campaign raises two possibilities we must consider:
Either UAT-5394 is actually Kimsu ..Support the originator by clicking the read the rest link below.