PureHVNC
PureHVNC is a modular .NET remote access trojan from the “Pure” malware family, commonly described as a hidden VNC/hidden remote desktop tool used for covert control of infected Windows systems. Across the provided reporting, it is repeatedly observed in malspam and phishing campaigns, including Italian business-themed malspam using lures such as orders, invoices, requests, bank transfers, payments, offers, documents, purchases, reservations, quotations, notices, and miscellaneous business subjects; Google Forms and LinkedIn-based fake job interview, project brief, and financial-document lures; fake Booking.com verification/CAPTCHA pages using ClickFix-style social engineering; and fake booking portal activity that tricks users into executing PowerShell. Reported delivery chains include ZIP archives, script-based loaders, DLL hijacking or side-loading, Donut-packed shellcode, Python loaders, AutoIt-based persistence chains, and in-memory injection into legitimate processes including explorer.exe, SearchUI.exe, notepad.exe, and RegAsm.exe.
High-confidence capabilities directly described in the content include hidden VNC/real-time remote desktop control, screen capture, command execution, credential theft from browsers and email clients, theft of browser data, cryptocurrency wallet data, Telegram and Foxmail data, collection of hardware and software information, plugin support, and persistent access. Multiple reports explicitly characterize it as both a RAT and a password-stealing threat. The malware is associated with the broader PureCoder/Pure malware ecosystem and is repeatedly mentioned alongside related tooling such as PureCrypter, PureLogs, PureRAT, and other PureCoder tools sharing infrastructure.
PureHVNC appears in several clustered campaigns and toolchains. It was deployed in the SERPENTINE#CLOUD campaign, where Securonix and other researchers documented repeated delivery through batch stagers, Python loaders, Donut shellcode, and .NET payload handoff, with anti-forensic cleanup, AMSI/WLDP bypasses, Cloudflare Tunnel staging, and anti-idle scripts used to sustain hidden remote access. Breakglass Intelligence and Huntress also tied PureHVNC to Cloudflare Tunnel/WebDAV-based multi-stage campaigns delivering multiple RAT families in parallel, with shared C2 infrastructure converging on AT&T-hosted IPs including 12.202.180.133 and 12.202.180.105; PureHVNC specifically was reported on port 6757 and in one case via bsmaopm.duckdns.org:6757. Additional infrastructure and configuration directly mentioned in the content include C2 IP 207.148.66.14 on ports 56001, 56002, and 56003; mutexes including Rluukgz, 3ddc38f1ccff, and a reported 86-message ProtoBuf protocol design; TLS certificate CN Zwfweayg; and nhvncpure.* domains including nhvncpure.duckdns.org, nhvncpure.click, nhvncpure.shop, nhvncpure.sbs, nhvncpureybs.duckdns.org, nhvncpurekfl.duckdns.org, nhvncpure.twilightparadox.com, nhvncpure1.strangled.net, and nhvncpure2.mooo.com.
Specific indicators and artifacts directly cited in the content include the Ygfumkl packer and reflective loading of Lhjknyy.dll in one campaign; DLL hijacking via malicious msimg32.dll with XOR string decryption key "4B"; persistence via CurrentVersion\Run\Miroupdate and scheduled tasks; a fake-debugger message reading "This software has expired or debugger detected"; and campaign IOCs from a ClickFix-to-PureHVNC intrusion including URLs https://58gold.com/h0v6wg63gK4DY2Sbkpy7eOnbTqgRSpzYDTgpjubd3qg7 and https://clubcampestrededurango.com/clubcampestrededurango.zip, IP 94.26.90.216, and SHA-256 hashes ca1dbbbd75b898b5df5ff2a63b592ecdcd2777b0d370eb3848d9604e02627e64, 526cd0ca695d223e6c244c7a557f9d115fe2f68fbe2684fe403a04de908c70d3, and 354daf11614e9c0097798f213e0867aa68c8d736b26e54ef67c0ba9c3da415a1. The reporting consistently places PureHVNC in financially motivated cybercrime activity targeting businesses and professionals, with notable targeting of Italian organizations, German-speaking businesses, UK organizations, and hospitality-sector victims.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThe campaigns in Italian analyzed by the TG Soft C.R.A.M. were grouped according to macro categories, obtained from the subject of the email message used for malware distribution (malspam).
The top-ranking samples this week are Script files accounting for 74,47%. MSIL files follow in second place with 14,89%. As for third place, we find WIN32 files with 10,64%.
[Phishing Email] → German invoice / scan / Telekom lure link or attachment
Execution
8 techniquesOrganizations should prioritize behavioral detection strategies focused on suspicious PowerShell execution...
The batch stagers are the initial execution layer. 29 .bat files recovered across six evidence directories deduplicate to 13 unique templates in four categories.
Each stager also downloads Shoopify.bat , PWS.vbs , and pws1.vbs into the Startup folder... Anti-idle scripts Deployed by all download stagers to the Startup folder
The ZIP contains a Python runtime and one or more loader scripts. Each loader decrypts embedded shellcode, and that shellcode bootstraps the .NET Common Language Runtime (CLR) to load the actual payload.
allocate RWX memory, write shellcode via WriteProcessMemory ... ctypes.windll.kernel32.VirtualProtect(... 0x40, # PAGE_EXECUTE_READWRITE ... )
Below we see the subjects used in the various campaigns divided by day and type of malware.
The top-ranking samples this week are Script files accounting for 36,36%. Office documents (Word, Excel, PowerPoint) follow in second place with 27,27%. As for third place, we find MSIL files with 25%.
Persistence
1 techniquePrivilege Escalation
4 techniquesBy combining user-assisted PowerShell execution, staged payload delivery, DLL side-loading, persistence mechanisms, and in-memory process injection...
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
MITRE ATT&CK Mapping Technique ID Implementation ... Process Injection: Process Hollowing T1055.012 PureHVNC via VirtualAlloc / WriteProcessMemory
Stealth
13 techniquesWave 4/5 introduces the deepest nesting observed in the campaign. The Nov19 Donut instances deliver native x64 PE wrappers instead of .NET assemblies directly... Layer 2: Kramer decode (hex -> unicode shift -> rotation -> RC4 -> base64)
MITRE ATT&CK Mapping Technique ID Implementation ... Obfuscated Files: Software Packing T1027.002 Donut shellcode packer
Defense Evasion Obfuscated Files: Encrypted Payload T1027.013 1–6 Multi-layer encryption (XOR, AES, Donut/Chaskey)
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Match Legitimate Name T1036.005 msedge_elf.dll, libpsl-5.dll
By combining user-assisted PowerShell execution, staged payload delivery, DLL side-loading, persistence mechanisms, and in-memory process injection...
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
MITRE ATT&CK Mapping Technique ID Implementation ... Process Injection: Process Hollowing T1055.012 PureHVNC via VirtualAlloc / WriteProcessMemory
The campaign also highlights increasing abuse of legitimate Windows utilities and trusted binaries to evade conventional security controls.
If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip (full WBKS + BKSNO deployment).
Checks for AvastUI.exe and AVGUI.exe via tasklist. If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip
UKM032.bat ... Hides payload folders with attrib +h
After patching, Donut loads mscoree.dll , calls CLRCreateInstance to start the .NET CLR (v4.0.30319), and invokes ExecuteInDefaultAppDomain with the target class and method names stored in the instance.
Donut is the bridge between the Python shellcode and .NET. Every wave uses it. The framework packages .NET assemblies as position-independent shellcode that bootstraps the CLR from scratch.
Discovery
2 techniquesLateral Movement
1 techniqueMITRE ATT&CK Mapping Technique ID Implementation ... Remote Services: VNC T1021.005 PureHVNC hidden VNC
Collection
1 techniqueCollection Screen Capture T1113 PureHVNC remote desktop capture
Command and Control
4 techniquesCommand and Control Fallback Channels T1008 22 C2 IPs, 8 domains, 10+ port options
C2 Application Layer Protocol: Web Protocols T1071.001 1–6 WebDAV over HTTPS for staging
By combining user-assisted PowerShell execution, staged payload delivery...
Command and Control Non-Standard Port T1571 Ports 56001, 4782, 1337, 7777, 9090
IOCs tracked for this family
147 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan delivered via a ClickFix-style, multi-stage infection chain using user-assisted PowerShell execution, staged payload delivery, DLL side-loading, persistence mechanisms, and in-memory process injection to achieve stealthy access and evade detection.
PureHVNC is one of the malware families observed in the week's Italian malspam campaigns, delivered with bank-transfer themed lures.
Malware family observed in malspam campaigns targeting Italy during the reporting week; the report groups it among dominant password stealer families.
A malware family heavily featured in the week’s Italian malspam campaigns, distributed via themes such as Orders, Invoices, and Documents.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.