Kedi is a remote access trojan (RAT) discovered by security researchers at Sophos. The RAT is used to steal data, run additional malicious payloads, download and upload file backdoors, grab screenshots, log keystrokes, extract usernames, computer names, and domains, and contains anti-virtual machine and sandbox capabilities. The most unique feature, however, is the communication with its C2 server via Gmail. This communication technique allows it to evade security scanners as the traffic will appear benign. Kedi was first observed spreading via a targeted spearphishing campaign in early September 2017. The payload installed on the targets device as %Appdata% within an Adobe folder, masquerading as an Adobe file. The payload is accompanied by a .lck lock file and a folder where it saves screenshots. To their risk from this threat, users should refrain from clicking on links or opening files received via email from unknown sources.

Technical Details

  • Sophos provides technical analysis of the Kedi RAT, here.
Trojan VariantsNJCCICKedi