Woodgnat, JINX-0164 & Kimsuky: Multi-Front RAT Offensive (Mistic, AUDIOFIX, KimJongRAT)

Excerpt: OTX Pulse Analysis: Woodgnat, JINX-0164, and Kimsuky deploy Mistic, AUDIOFIX, and KimJongRAT via sideloading, supply chain, and GitHub abuse. Critical.

Threat Summary

Recent OTX pulses reveal a convergence of sophisticated access brokers and nation-state actors targeting varied verticals. Woodgnat is actively peddling access to ransomware affiliates using the new Mistic backdoor and ModeloRAT, utilizing sideloading to evade defenses. Simultaneously, JINX-0164 has emerged as a distinct threat to the cryptocurrency sector, employing LinkedIn social engineering to deliver the AUDIOFIX Python RAT and MINIRAT, specifically targeting software development infrastructure. In parallel, the North Korean APT Kimsuky continues to evolve KimJongRAT, leveraging GitHub (LOTS) to distribute payloads. Collectively, these campaigns highlight a shift toward abusing trusted developer platforms and communication tools for initial access.

Threat Actor / Malware Profile

Woodgnat (Ransomware Access Broker)

Malware: Backdoor.Mistic, ModeloRAT, MintsLoader.
Distribution: Sideloading technique (DLL side-loading); social engineering.
Behavior: Establishes persistence and exfiltrates credentials. Linked to Qilin, Black Basta.
C2: Uses diverse domain generation (e.g., authorized-logins.net).

JINX-0164

Malware: AUDIOFIX (Python Infostealer/RAT), MINIRAT (Go Backdoor).
Distribution: LinkedIn phishing posing as recruiters; Supply chain compromise (npm packages); Fake "driver-updater" domains.
Behavior: Targeted theft of cryptocurrency keys and developer secrets.
C2: Spoofed domains (teamicrosoft.com, driver-updater.net).

Kimsuky (APT37)

Malware: KimJongRAT, MeshAgent.
Distribution: Phishing emails with shortened URLs pointing to GitHub Releases (LOTS).
Behavior: Espionage; remote control via C2 infrastructure (servequake.com).

IOC Analysis

The indicators provided span multiple vectors:

Network IOCs: Domains like grande-luna.top and driver-updater.net serve as C2 or phishing landing pages. Hostnames spoofing Microsoft Teams (teams.live.us.org) indicate identity deception.
File Hashes: Several SHA256 hashes correspond to loaders and RAT payloads (Python scripts, Go binaries).
URLs: GitHub releases and raw script execution (install.sh) indicate a reliance on web-based delivery.
Operationalization: SOC teams should import these hashes into EDR exclusion lists (for quarantining) and block the listed domains at the perimeter. The spoofed hostnames require immediate SSL inspection or DNS sinkholing.

Detection Engineering

Sigma Rules

YAML

title: Potential Sideloading via Signed Binary Execution
id: 62a7e8a0-9c1a-4521-9b8a-3c5e9f1a2b3d
status: experimental
description: Detects potential sideloading technique where a signed binary loads a DLL from the current directory or an unusual path, associated with Woodgnat Mistic/ModeloRAT campaigns.
author: Security Arsenal
date: 2026/06/28
tags:
    - attack.defense_evasion
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\jusched.exe'
            - '\\gpedit.exe'
            - '\\mspaint.exe'
        ImageLoaded|contains:
            - '\\AppData\\Local\\'
            - '\\Downloads\\'
            - '\\Desktop\\'
    condition: selection
falsepositives:
    - Legitimate software installs
level: high
---
title: Suspicious PowerShell Download from GitHub
id: 71b8f9b1-0d2e-4632-a0c4-d5e6f0a3c4e5
status: experimental
description: Detects PowerShell downloading scripts or payloads from GitHub, a technique observed in Kimsuky campaigns leveraging LOTS.
author: Security Arsenal
date: 2026/06/28
tags:
    - attack.command_and_control
    - attack.t1102.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated|contains: 'powershell.exe'
        DestinationHostname|contains: 'github.com'
    condition: selection
falsepositives:
    - Developers using PowerShell scripts from GitHub
level: medium
---
title: Connection to Typosquatting Microsoft/Crypto Services
id: 82c9g0c2-1e3f-5743-b1d5-e6f7g1b4d5f6
status: experimental
description: Detects network connections to domains typosquatting Microsoft Teams or driver updaters, associated with JINX-0164 phishing campaigns.
author: Security Arsenal
date: 2026/06/28
tags:
    - attack.initial_access
    - attack.t1566.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'teamicrosoft.com'
            - 'teams.live.us.org'
            - 'live.us.org'
            - 'driver-updater.net'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for C2 connections and domain indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "authorized-logins.net", 
    "grande-luna.top", 
    "driver-updater.net", 
    "teamicrosoft.com", 
    "servequake.com",
    "corpsecs.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ActionType
| order by Timestamp desc
// Hunt for File Hash IOCs
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470"
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell

# IOC Hunter for Woodgnat, JINX-0164, and Kimsuky Campaigns
# Checks for specific file hashes and suspicious processes

$TargetHashes = @(
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470"
)

$SuspiciousProcesses = @("python", "node", "bash", "sh")

Write-Host "Scanning for known malicious file hashes..."
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.Length -lt 10mb } | 
    ForEach-Object {
        $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
        if ($TargetHashes -contains $hash.Hash) {
            Write-Host "[ALERT] Malicious file found: $($_.FullName) | Hash: $($hash.Hash)" -ForegroundColor Red
        }
    }

Write-Host "`nChecking for processes connecting to C2 infrastructure..."
Get-NetTCPConnection | 
    Where-Object { 
        $_.State -eq "Established" -and 
        ($_.RemoteAddress -eq "104.200.67.46" -or 
         $_.RemoteAddress -eq "89.36.224.5") 
    } | 
    Select-Object OwningProcess, RemoteAddress, RemotePort | 
    ForEach-Object {
        $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[SUSPICIOUS] Process $($proc.ProcessName) connected to C2: $($_.RemoteAddress)" -ForegroundColor Yellow
    }

Response Priorities

Immediate:
- Block all domains and hostnames listed in the IOCs at the firewall and proxy level.
- Quarantine endpoints matching the provided file hashes.
24h:
- Audit active sessions for developers and finance staff (JINX-0164 targets).
- Review GitHub repository logs for unauthorized access (Kimsuky LOTS).
- Force password resets for accounts accessed from IPs associated with these campaigns.
1 Week:
- Implement strict allow-listing for software development tools (npm, pip) to prevent supply chain poisoning.
- Conduct security awareness training focusing on LinkedIn recruitment scams and typosquatting.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub