HOMETHREATSKaolin RAT
APT / THREAT GROUP

Kaolin RAT

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Kaolin RAT is a complex modular RAT, with Release_TMain_x64.dll as its internal DLL name.

The malware provides standard backdoor functionality, including manipulation and listing of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands and collecting their outputs.

Also, it is designed to execute additional DLL payloads in memory via specific exported functions:

- _DoMyFunc,

- _DoMyFunc2,

- _DoMyThread,

- _DoMyCommandWork.

Functionally, Kaolin RAT relies on an accompanying trojanized curl library to handle network and exfiltration operations, by importing functions such as:

- SendDataFromURL,

- ZipFolder,

- UnzipStr,

- curl wrappers.

For C&C communication, it employs AES encryption and attempts to evade network detection by randomly selecting words from a hardcoded custom dictionary to populate POST request parameters. The malware's name is derived from one of these dictionary words ("kaolin").

The Kaolin RAT has been observed in Lazarus campaigns as a late-stage payload — typically following loaders like RollFling, RollSling, and RollMid — and serves also as a delivery vector for the FudModule rootkit with a 0-day exploit.

Threat Analysis

Kaolin RAT is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases3

Also Known As

KaolinTeawin.kaolin_ratKaolin RAT

External Intelligence

Malpedia: win.kaolin_rat

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Kaolin RAT — APT / Threat Group | Threat Intelligence | CTIWATCH.COM