The EndClient RAT, a Remote Access Trojan, is targeting human rights defenders in South Korea and beyond, utilizing a stolen code-signing certificate to evade detection. First identified on 2025-11-06 through a collaboration with PSCORE, the malware mimics legitimate applications, bypassing Windows defenses.
Code-signing and Delivery
The RAT is delivered via a Microsoft Installer (MSI) named 'StressClear.msi', using a stolen certificate from Chengdu Huifenghe Science and Technology Co Ltd. The legitimate guise allows it to avoid SmartScreen alerts. Additionally, it bundles a genuine module from WIZVERA VeraPort's Delphino to mislead users.
Functionality and Evasion Tactics
Upon execution, the malware releases an AutoIT-based payload. It maintains persistence by setting up a scheduled task in the user's system. The RAT employs a global mutex to prevent re-execution and initiates polymorphic changes if Avast antivirus is detected. It's designed to exchange data with a command-and-control server, offering functionalities like remote shell and file management.
Defensive Recommendations
Given its stealth, cybersecurity experts suggest blocking known indicators of compromise (IOCs) and scrutinizing 'StressClear.msi' files, along with monitoring any related scheduled tasks and mutex usage. This incident stresses the importance of joint efforts between civic and tech communities for enhanced security measures against complex threats.
