KEYMARBLE Remote Access Trojan

This application is a malicious 32-bit Windows executable file, which functions as a RAT. When executed, it de-obfuscates its application programming interfaces (APIs) and using port 443, attempts to connect to the hard-coded IP addresses listed below. After connecting, the malware waits for further instructions.

During the Command & Control server communication this is using XOR cryptographic algorithm to ensure the secure communication to receive the instructions.

This Trojan is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.

It is distributing via a malicious 32-bit Windows executable file that acts as RAT to infiltrate the network and access the target network.

The Trojan has been categorised alongside a whole family of malware attributed to North Korea by the US government under the Hidden Cobra.

IP Addresses

100.43.153.60 – Domain Name: KRYPT.COM
104.194.160.59 – Domain Name: SERVPAC.COM
212.143.21.43 – IP located in Israel



Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: