top of page
Image by Vincent Tint

Naikon RAT

Malware Dissection Playbook

Naikon RAT is a long-running espionage tool linked to the Naikon APT group, active since at least 2010 and widely tied to Chinese state interests. It has primarily targeted Southeast Asian governments, militaries, and diplomatic entities, focusing on intelligence collection and long-term persistence.

​

Typically delivered via spear-phishing with trojanized documents or fake utilities, Naikon RAT provides operators with file control, command execution, credential theft, and system reconnaissance. Its stealth tactics — custom loaders, fake update services, and infrastructure disguised as government or VPN domains — have enabled years-long footholds across the Philippines, Myanmar, Vietnam, and beyond.

 

In short, Naikon RAT is a strategic espionage platform built for sustained surveillance and exfiltration in one of the world’s most sensitive regions.

Analysis

  1. Loader (intelup.exe) masquerades as Intel updater.

  2. Loads malicious RAT DLL (intelup.dll).

  3. RAT establishes persistence and beaconing.

  4. Supports command execution, file exfiltration.

Execution Chain

Persistence

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IntelUpdate

Service install; HKLM\SYSTEM\CurrentControlSet\Services\naikonsvc

Evasion

  • Basic string obfuscation

  • Execution delays to evade sandbox analysis

  • Anti-debug checks (timing mismatches)

Networking

  • VPN-themed C2 domains (hxxp://secure-gov.org, hxxp://vpn-service.net)

  • Standard HTTP POST requests

  • Occasional IP-only comms

IOC's and Artifacts 

This collection highlights key artifacts and IOCs we consider most relevant for analysts developing detection rules or conducting research. For YARA rules, please refer to the community repository.

 

Note: We do not publish or accept file hashes unless they are used to illustrate a specific malware technique or reference research (either our own analysis or external sources). Our focus is on dynamic detection logic and deeper research, rather than relying solely on static indicators.

File Artifacts 

%AppData%\Roaming\Intel\intelup.exe (Loader) 

%AppData%\Roaming\Intel\intelup.dll (RAT DLL)

 

Registry Persistence

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IntelUpdate Service Install  HKLM\SYSTEM\CurrentControlSet\Services\naikonsvc

 

Domains 

hxxp://secure-gov[.]org

hxxp://vpn-service[.]net

 

IPs

hxxp:// 202.60.22.5 

hxxp:// 182.163.89.102

 

Refrences:

ESET WeLiveSecurity – Naikon returns: Stealthy espionage campaigns in SEA (2020).
NCC Group / Fox-IT – Comparisons between Naikon RAT and PlugX/ShadowPad infrastructure.

MITRE ATT&CK – Group profile for Naikon (APT30 overlap noted).
ASEAN-CERT – Espionage operations tied to Naikon in PH, MY, VN (2019–2021 advisories).

Checkpoint Research – Reports on Aria-body / AriaNg loaders, sometimes attributed to Naikon toolsets.

Bitdefender – Coverage of Naikon overlap with PlugX & other RATs in regional espionage.

Kaspersky Securelist – Naikon APT: Backdoors for Southeast Asian Espionage (2015 deep dive, links to RAT evolution).
ThreatConnect – Naikon APT Targeting Southeast Asian Nations (diplomatic & military focus).
 

​

bottom of page