Open-Source XenoRAT Variant Distributed by North Korean Threat Actors

Published on August 22, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

XenoRAT, a variant of the open-source remote access trojan (RAT), is actively developed by a nexus of threat actors tracked as UAT-5394, which Cisco Talos security experts believe to be a state-sponsored North Korean group. They named the malware “MoonPeak.”

The MoonPeak malware samples show that XenoRAT evolved after it was forked by the threat actors. It has capabilities such as obfuscation, persistence, monitoring, evading detection, and can even uninstall itself.

This cluster of activity has some overlaps in tactics, techniques, procedures (TTPs), and infrastructure patterns with the North Korean state-sponsored group Kimsuky, which evolved rapidly throughout 2024. 

Security experts believe UAT-5394 may actually be Kimsuky (or a sub-group) using MoonPeak instead of their old QuasarRAT implants or another North Korean APT that borrowed Kimsuky’s TTPs and infrastructure patterns.

Cisco Talos MoonPeak Propagation
Image Source: Cisco Talos

The analysis indicates that the threat actors set up a new infrastructure and modified existing servers, employing both command and control (C2) servers and staging servers while using virtual machines to test their implants. 

Researchers discovered several instances of two virtual machines hosted on public IPs that reached out to various MoonPeak C2 servers over ports configured in the malware. 

In several cases, the hackers accessed existing servers to update their payloads and retrieve logs and information MoonPeak collected. The threat actors also used VPN nodes to access their infrastructure. 

An early variant of XenoRAT was recently seen in a spear-phishing campaign by AhnLab in June, which shows the open-source RAT family is still relevant to the hacking gangs out there. After this report, UAT-5394 hosted their malicious payloads on attacker-controlled systems and servers instead of using legitimate cloud storage providers.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: