HOMETHREATSKaolin RAT
MALWARE FAMILY

Kaolin RAT

Internal ID: win.kaolin_rat
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Kaolin RAT is a complex modular RAT, with Release_TMain_x64.dll as its internal DLL name.

The malware provides standard backdoor functionality, including manipulation and listing of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands and collecting their outputs.

Also, it is designed to execute additional DLL payloads in memory via specific exported functions:

- _DoMyFunc,

- _DoMyFunc2,

- _DoMyThread,

- _DoMyCommandWork.

Functionally, Kaolin RAT relies on an accompanying trojanized curl library to handle network and exfiltration operations, by importing functions such as:

- SendDataFromURL,

- ZipFolder,

- UnzipStr,

- curl wrappers.

For C&C communication, it employs AES encryption and attempts to evade network detection by randomly selecting words from a hardcoded custom dictionary to populate POST request parameters. The malware's name is derived from one of these dictionary words ("kaolin").

The Kaolin RAT has been observed in Lazarus campaigns as a late-stage payload — typically following loaders like RollFling, RollSling, and RollMid — and serves also as a delivery vector for the FudModule rootkit with a 0-day exploit.

Threat Analysis

Kaolin RAT is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.kaolin_rat

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.