Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

EndRAT

EndRAT, also referred to as EndClient RAT, is a remote access trojan associated in the provided reporting with the North Korean Konni APT. It was observed in Konni’s "Operation Poseidon" spear-phishing campaign, which used malicious links disguised as Google and Naver advertising URLs, ad-click redirection through domains such as ad.doubleclick[.]net, and compromised WordPress sites for malware distribution and command-and-control. The campaign used targeted lures impersonating North Korean human rights organizations and South Korean financial institutions, including financial notices such as transaction confirmations or wire transfer requests, to induce victims to download ZIP archives. Those archives contained an LNK file that executed an AutoIt script disguised as a PDF, which loaded EndRAT. The stated objective of the infection chain was exfiltration of sensitive information. Reporting in the content ties the malware to South Korean-focused targeting and more broadly to Konni activity. A developer build-path artifact was reportedly found in the malware: D:\3_Attack Weapon\Autoit\Build_Poseidon – Attack\client3.3.14.a3x, which researchers used as a campaign naming clue. High-confidence indicators and artifacts directly mentioned in the content include the aliases "EndClient RAT," delivery via AutoIt script masquerading as a PDF, ZIP/LNK-based delivery, use of compromised WordPress infrastructure, and ad-redirection abuse involving ad.doubleclick[.]net.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Kimsuky

After the spear-phishing attack succeeded, the victim executed a malicious LNK file, resulting in infection with remote access malware.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1584.006Web ServicesEvidence1

"Poorly secured WordPress websites were abused as malware distribution points and C2 infrastructure"

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

"victim still receives a RAR archive as an attachment"; "phishing emails ... luring victims into downloading a malicious archive"; "A spear phishing campaign disguised as advertising URLs"; "targeting Afghan government employees"

Execution

1 technique
T1059.010AutoHotKey & AutoITEvidence1

"The EndRAT malware was loaded through the execution of an AutoIt script masquerading as a PDF file"

Stealth

1 technique
T1036MasqueradingEvidence1

"AutoIt script masquerading as a PDF file"; "malicious browser extension called NexShield that impersonates ... uBlock Origin Lite"; "fake Electron applications disguised as legitimate tools"

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Jan 26, 2026
Konni Hackers Deploy AI-Generated PowerShell Backdoor Against Blockchain Developers

Remote access trojan delivered via spear-phishing. Delivered in ZIP archives from WordPress sites using an LNK that executes an AutoIt script disguised as a PDF; used for remote access and likely follow-on activity.

Read more
ctoatncsc substackNews
Jan 25, 2026
CTO at NCSC Summary: week ending January 25th

Remote access trojan delivered via an AutoIt script disguised as a PDF in a spearphishing campaign; used alongside compromised websites for distribution/C2.

Read more
security online infoNews
Jan 20, 2026
Operation Poseidon: Konni APT Hijacks Google & Naver Ads for Malware

Remote access trojan used in the Operation Poseidon campaign attributed to the Konni APT group; delivered via phishing lures and ZIP archives and hosted on compromised WordPress infrastructure after ad-platform open-redirect click tracking.

Read more
ahnlab asec blogNews
Nov 27, 2025
Cybersecurity Threat Trends in 2025 and Outlook for 2026
Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.