Cisco Talos has identified a new RAT family named "MoonPeak," a variant of the open-source XenoRAT malware. This RAT is currently being developed by the North Korean state-sponsored threat actor group UAT-5394.
UAT-5394 moved from relying on cloud services to setting up their own infrastructure.
Servers identified in this campaign include 95.164.86.148, which served as a MoonPeak C2 on Port 9999, and 167.88.173.173, a server that was initially thought to be linked to the Gamaredon APT but was later found to be under UAT-5394's control. This server was used to compile MoonPeak v2 malware and connect to other C2s over Ports 9966 and 8936.
Talos also uncovered multiple test VMs, including 45.87.153.79 and 45.95.11.52, used to validate MoonPeak infections. MoonPeak RAT modifies the original XenoRAT source code by changing the client namespace from "xeno rat client" to "cmdline." This change prevents MoonPeak from connecting to out-of-the-box XenoRAT C2 servers and ensures that any unauthorized or rogue implants cannot connect to their custom MoonPeak servers.