Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Khalesi Malware
Published: 12/16/2025
What is Khalesi Malware?
Khalesi is an information stealer (infostealer), more widely known as KPOT or KPOT Stealer, sold as a malware-as-a-service offering. It harvests credentials and sensitive data from web browsers, email clients, instant messengers, VPN and RDP clients, FTP software, cryptocurrency wallets, and gaming platforms, then exfiltrates that data to a command-and-control server. It has a high threat level due to its breadth of credential theft combined with sandbox/VM-evasion techniques.
When was Khalesi first discovered?
Khalesi was first identified in 2021 by independent cybersecurity researchers analyzing new trojan variants in the wild. Its discovery highlighted evolving hacker strategies.
Who created Khalesi?
The identities and number of individuals behind Khalesi remain unknown. However, its complexity suggests involvement by a highly skilled threat actor or group.
What does Khalesi target?
Khalesi primarily targets Windows-based systems across industries such as finance, healthcare, and government. Its geographic reach has been global, raising concerns among organizations worldwide.
Khalesi distribution method
Khalesi malware often spreads through phishing emails embedded with malicious attachments or links. Additional methods include drive-by downloads and exploit kits delivered via compromised websites.
Technical analysis of Khalesi malware
Once executed, Khalesi begins by establishing persistence through registry edits and scheduled tasks. It employs encryption to evade detection and communicates with command-and-control servers to exfiltrate data. Advanced obfuscation techniques allow it to remain hidden while extracting valuable files.
Tactics, Techniques & Procedures (TTPs)
MITRE ATT&CK Techniques:
T1071 (Application Layer Protocol)
T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)
T1566.001 (Phishing: Spearphishing Attachment)
T1204.002 (User Execution: Malicious File)
T1203 (Exploitation for Client Execution) — retained; documented via weaponized Office documents (Equation Editor exploit) and exploit-kit delivery
T1189 (Drive-by Compromise) — for the malvertising / exploit-kit (RIG, Fallout) vector
Indicators of Compromise (IoCs)
Khalesi/KPOT infrastructure and sample hashes rotate frequently, so current indicators are best sourced from continuously maintained feeds.
Malware Guide
Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.
How to know if you’re infected with Khalesi?
If your system experiences unexplained slowdowns, unusual outbound network activity, or you detect unfamiliar processes in task management, you may be infected. Infosec teams should monitor critical systems for signs of unauthorized access.
Khalesi removal instructions
Manual removal requires disconnecting the affected device, identifying malicious processes, and deleting registry edits. However, using advanced tools like Huntress EDR provides safer and more effective remediation options by restoring your system and preventing further damage.
Is Khalesi still active?
Khalesi remains an active threat, with variants frequently appearing in threat intelligence reports. Staying protected requires continuous monitoring and updated defenses.
Mitigation & prevention strategies
To prevent Khalesi infections, apply email filtering, enable MFA, and prioritize user security awareness training.
Related educational articles & videos
Frequently Asked Questions about Khalesi
Khalesi is a trojan malware designed for data theft and persistence. It spreads via phishing and uses obfuscation and encryption to evade detection while exfiltrating data.
Khalesi infects systems through phishing emails with malicious file attachments, drive-by downloads, or exploit kits found on compromised websites.
Yes, Khalesi is still a significant threat, with new variants continuing to emerge. Regular updates to defenses and constant vigilance are key to avoiding infections.
Organizations can protect themselves by implementing strong email monitoring, using endpoint detection and response (EDR) tools, training employees on phishing awareness, and maintaining proper patch management.
