Malware Alert: Kong RAT Targets Chinese Developers via Fake Software Downloads

Listen to this Post

Featured Image
In a concerning development for cybersecurity, a newly uncovered malware campaign is actively targeting Chinese-speaking developers and IT professionals. The attackers are leveraging fake download pages for widely used software tools, including FinalShell and Xshell, to distribute a sophisticated remote access trojan known as Kong RAT. This operation demonstrates the increasing complexity of cyber threats and the need for heightened awareness among developers and IT personnel.

The campaign, which appears to have been active from at least May 2025 through March 2026, uses SEO poisoning to manipulate search engine results. This tactic ensures that malicious websites appear high in search results, making them appear trustworthy to unsuspecting victims. Attackers extended their reach beyond just FinalShell and Xshell, creating fake sites for QuickQ VPN and Clash as part of a broader ecosystem designed to capture as many victims as possible.

Victims searching for legitimate software were redirected to convincing imitation domains such as finalshell-ssh.com and xshell-cn.com. These sites featured Chinese-language branding and screenshots that mirrored the real tools, increasing the likelihood of a successful infection. Alarmingly, download buttons for both Windows and Mac versions sometimes pointed to the same malware installer, revealing that the primary goal was infection rather than mimicking full product functionality.

Once installed, the first-stage payload employs a .NET 10 NativeAOT build, which complicates analysis because the code is compiled to native machine code instead of standard .NET bytecode. This makes reverse-engineering much more challenging for cybersecurity researchers.

Kong RAT itself is highly capable. It supports keylogging, remote command execution, file downloading and execution, plugin loading, session recovery, and command-and-control migration via a custom TCP protocol utilizing the MPK1 header and LZ4 compression. The malware also actively checks for installed security products and profiles messaging apps including WeChat, QQ, WeCom, Telegram, and WhatsApp. In addition, it leverages a legitimate LeTV CDN endpoint to collect the victim’s public IP address and geographical information.

Research by esentire revealed that primary communications were routed through Alibaba Cloud in Hong Kong, with the command-and-control server also located in the region. This aligns with the campaign’s regional focus and operational consistency, indicating a highly organized threat actor behind the operation.

The significance of this campaign lies in its targeting of ordinary, everyday activities—developers and IT workers downloading trusted administration tools. It serves as a stark reminder that high search engine rankings do not equate to safety, especially when attackers are willing to invest in polished fake sites, signed binaries, and malware concealed in media or XML files.

Indicators of Compromise

Indicator Type Description

finalshell-ssh.com Domain Fake FinalShell download site

xshell-cn.com Domain Fake Xshell download site

quickq-cn.com Domain Fake QuickQ VPN download site

What Undercode Says:

This malware campaign demonstrates a growing trend in sophisticated supply chain-style attacks aimed at developers. By targeting commonly trusted tools, threat actors bypass the usual caution exercised by IT professionals. The use of SEO poisoning is particularly insidious because it exploits a natural trust in search engine results, making even cautious users susceptible.

Kong RAT’s capabilities indicate that the attackers are not merely interested in temporary access but in prolonged, stealthy infiltration. Its ability to profile multiple messaging apps suggests a goal of harvesting both personal and professional communication data, potentially giving attackers deep insight into corporate networks and private interactions. This multi-faceted approach reflects an evolution in cyber espionage, where malware isn’t just a weapon but a comprehensive intelligence-gathering tool.

The choice of .NET 10 NativeAOT for the first-stage payload is strategic. Compiling to native machine code significantly raises the technical barrier for researchers and defensive tools, allowing malware to remain undetected for longer periods. Combined with signed binaries and realistic web pages, this campaign exemplifies how attackers are blending social engineering and technical sophistication for maximum impact.

Regional targeting, as evidenced by Alibaba Cloud’s Hong Kong servers, demonstrates that attackers are optimizing infrastructure to minimize latency and maximize control over infected systems. This could hint at either politically motivated cyber operations or financially driven espionage campaigns.

Developers downloading tools from the internet must remain vigilant, particularly when dealing with administration software that could provide broad access to systems. The campaign also highlights the need for companies to enforce rigorous security protocols, including verifying download sources, implementing endpoint protection, and educating employees about phishing and fake software pages.

Beyond immediate threats, campaigns like this provide critical lessons in cybersecurity strategy. Organizations must anticipate that attackers will exploit trust in legitimate software, meaning defensive approaches cannot rely solely on known signatures or traditional detection mechanisms. Instead, a layered security posture, combining network monitoring, behavioral analysis, and threat intelligence, is essential to mitigate sophisticated threats like Kong RAT.

Finally, the broader ecosystem of fake software sites suggests that attackers are willing to invest in extensive infrastructure for long-term operations, rather than one-off attacks. This underlines a shift in how malware campaigns are conceived: more like full-scale operations with multiple attack vectors, rather than isolated incidents.

Fact Checker Results:

Campaign duration: May 2025 – March 2026, confirmed by multiple cybersecurity reports.

Malware type: Remote Access Trojan (Kong RAT) with advanced capabilities.

Targeted audience: Chinese-speaking developers and IT professionals seeking legitimate software.

Prediction:

Given the sophistication and regional targeting observed in this campaign, similar operations are likely to expand globally, targeting developers of other popular software in different languages. SEO poisoning will remain a common vector, and attackers may increasingly use multi-stage payloads compiled with advanced frameworks like .NET NativeAOT. Organizations that do not adopt proactive threat intelligence and verification processes risk repeated breaches, making early detection and layered defenses critical to preventing the spread of malware like Kong RAT.

🕵️‍📝Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon