A new remote access trojan (RAT) named MoonPeak has been used as part of a malicious campaign attributed to a North Korean state-sponsored threat group.

The cyber campaign, discovered and analyzed by Cisco Talos, is linked to a cluster of activity tracked under the codename UAT-5394. The group is suspected to have tactical similarities with the well-known North Korean cyber espionage group Kimsuky.

MoonPeak, which is still under active development, is a variant of the open-source XenoRAT malware. This RAT was previously utilized in phishing campaigns where payloads were retrieved from cloud services such as Dropbox, Google Drive, and Microsoft OneDrive. Cisco Talos’ investigation revealed that MoonPeak, while retaining many features of XenoRAT, has undergone modifications that suggest the threat actors are evolving the code independently from its original open-source version.

The campaign linked to UAT-5394 has shown overlaps in tactics, techniques, and procedures (TTPs) with Kimsuky. However, due to the lack of substantial technical evidence, the researchers said they are treating UAT-5394 as a distinct entity for now. This cluster of activity might represent a new sub-group within the broader North Korean Advanced Persistent Threat (APT) apparatus or possibly an entirely separate group operating within the same framework.

Cisco Talos’ report notes the shift in UAT-5394’s operational strategy following the public disclosure by cybersecurity firm AhnLab. Initially, UAT-5394 relied on legitimate cloud storage providers to host its malicious payloads.

However, after June 2024, they shifted to using its own infrastructure, including remote access and command-and-control (C2) servers, payload-hosting sites, and test virtual machines for implant testing. This move was likely a response to mitigate the risk of their operations being disrupted by the shutdown of cloud-based services, the Cisco Talos team said.