← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Multi-Stage SEO Poisoning Campaign Targets Chinese-Speaking Developers with Kong RAT
WHITE celestre 2026-04-20 Modified: 2026-05-20
42
IOCs
MEDIUM VOLUME
In March 2026, eSentire's Threat Response Unit detected a sophisticated multi-stage malware campaign targeting Chinese-speaking developers and IT professionals through Search engine optimization (SEO) poisoning. Victims searching for popular Chinese developer tools including FinalShell SSH client, Xshell, QuickQ VPN, and Clash proxy, were redirected to convincing lookalike domains that delivered trojanized installers. TRU is tracking this threat as Kong RAT, named for its consistent use of the string "Kong" across registry keys/file paths used by the malware. The campaign's infrastructure consists of a network of spoofed Chinese software domains hosted on shared infrastructure, active from May 2025 through March 2026. Initial payloads were delivered via Alibaba Cloud Object Storage (Hong Kong region), and all stages consistently used oss-cn-hongkong.aliyuncs[.]com for payload hosting and C2 telemetry.
localappdatanetworkpayload hostingkong ratadditional c2file hashesprimary c2programsbvastedof compromisecampaignmagiccloud
Indicators of Compromise (42)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 4eb4e1ad917d85f9b52cac0946f1e6c4 MD5 of e16a79acf34a09d891e2d87bd8d1026b3f1310833cdcc6994557e8c277b678e2 2026-04-20
FileHash-MD5 8c050a38de18c80903c85e08213c8263 MD5 of 67a53570e6a84a90a174c4ee250e11fb64f13bafbf3c226830e442c158de7d21 2026-04-20
FileHash-MD5 ab6cf492d90ca87a4762f15678cceb86 MD5 of 17e800d967183db3d87b9baac4007a67dd17395efc94c05be92fe7a74423ad53 2026-04-20
FileHash-MD5 cf22f766a96d258accc64df518bf4527 MD5 of e718c89ce05a1e1b611f98d97cf8fed9b375741a0f7ad18bab39c62c721ab69a 2026-04-20
FileHash-MD5 df53c25243b31c85e00de026cf42bed9 MD5 of 736b2c5782fca75a85379181bcf1d3a719a14cacd938d053c03b16041059dd8f 2026-04-20
FileHash-SHA1 0f28f95830ebad71e5fbfa0195a9674a7ac3c7d9 SHA1 of 67a53570e6a84a90a174c4ee250e11fb64f13bafbf3c226830e442c158de7d21 2026-04-20
FileHash-SHA1 12d0556525077f1e6bd69ced9bb7358c223dee73 SHA1 of e16a79acf34a09d891e2d87bd8d1026b3f1310833cdcc6994557e8c277b678e2 2026-04-20
FileHash-SHA1 3e2a5236ad9f33782eb1b350674fe215e7b53ca1 SHA1 of e718c89ce05a1e1b611f98d97cf8fed9b375741a0f7ad18bab39c62c721ab69a 2026-04-20
FileHash-SHA1 5ff5c29a8c4ce32bb757dcfe43670f44fa148a34 SHA1 of 736b2c5782fca75a85379181bcf1d3a719a14cacd938d053c03b16041059dd8f 2026-04-20
FileHash-SHA1 6c609755f92e9d21985211a2e3960a3dea62dbe8 SHA1 of 17e800d967183db3d87b9baac4007a67dd17395efc94c05be92fe7a74423ad53 2026-04-20
FileHash-SHA256 0cac13a91f14f49ca0c27b1d7a00f4a382616a8b91f32b05692369528adc98cb 2026-04-20
FileHash-SHA256 125d9c883c91fa7a36bd3eb0418194da51be64c28a4e52a3d62df13e6586c5ad 2026-04-20
FileHash-SHA256 17e800d967183db3d87b9baac4007a67dd17395efc94c05be92fe7a74423ad53 2026-04-20
FileHash-SHA256 2441d2d4b5abfbfc3b67f6e18b32be1bed0a5dd1652bf2da77778ab34a6e04df 2026-04-20
FileHash-SHA256 278ecba3c6c3491a41eed6b9d40e8e3f7ca811e7ee8373b79e1a684a61f3b00f 2026-04-20
FileHash-SHA256 2b7d31a83ff817be7bdd6e9cf92dea438ca97dc93ea84cbf048f8656f7dd57dd 2026-04-20
FileHash-SHA256 3a1dd72dd2dec21d18b8fcd72d221f069fed2d35c2bf4cdf042c9ae722d6c820 2026-04-20
FileHash-SHA256 645a07f654058138002827dc9e6838967ea787e231efafcb138948b2dd04c1f2 2026-04-20
FileHash-SHA256 67a53570e6a84a90a174c4ee250e11fb64f13bafbf3c226830e442c158de7d21 2026-04-20
FileHash-SHA256 6a4dffe30591dce424cd90bb369d9dd6463d204c0cea4d16589c5116a442d5ac 2026-04-20
FileHash-SHA256 736b2c5782fca75a85379181bcf1d3a719a14cacd938d053c03b16041059dd8f 2026-04-20
FileHash-SHA256 761be18bb691e72ffb911ffb61dae3add8b8f289b94c21bcd7f4859d29bd8f20 2026-04-20
FileHash-SHA256 9018777f1f49d1ff45fd105d9299fafc695d639efb42815dd96f8a0cc296efa1 2026-04-20
FileHash-SHA256 97e6c4639b8e9049987adb7825a65dded251bfc0db98b1ce823d146445b199f6 2026-04-20
FileHash-SHA256 ae160034478a340421e20dc7c8fdee626cc3b8035d278f0a94afaf31766eea48 2026-04-20
FileHash-SHA256 bd9d57bb3d13063936d901db853e79a70496b7176c8478818d7165d2179d5e06 2026-04-20
FileHash-SHA256 d6620d753e746e63b59e1e47943be5093f24fd3f82e994115cadeea3720f1aea 2026-04-20
FileHash-SHA256 e16a79acf34a09d891e2d87bd8d1026b3f1310833cdcc6994557e8c277b678e2 2026-04-20
FileHash-SHA256 e718c89ce05a1e1b611f98d97cf8fed9b375741a0f7ad18bab39c62c721ab69a 2026-04-20
FileHash-SHA256 ec1dc8b0f6b6921a9d93769aeacb193ea513d390ae25eedad383fde2e3be661a 2026-04-20
FileHash-SHA256 ed68397183e72e7113c8ac4aceddf2051abf55d7c62b6fa69f62cbda11324ab8 2026-04-20
FileHash-SHA256 f7bbf4cf0d9ceeec84dcaae03f827d614310d80d7778e8e01864ab901c5a94c5 2026-04-20
URL http://103.45.64.31:8080 2026-04-20
URL http://45.192.169.97:8080 2026-04-20
domain clash-cn.com 2026-04-20
domain finalshell-ssh.com 2026-04-20
domain letsv-vpn.com 2026-04-20
domain quickq-cn.com 2026-04-20
domain xshell-cn.com 2026-04-20
hostname rui.x-x.icu 2026-04-20
hostname x.x-x.icu 2026-04-20
hostname zh.x-x.icu 2026-04-20
References (1)
↗ https://www.esentire.com/blog/multi-stage-seo-poisoning-campaign-targets-chinese-speaking-developers-with-kong-rat