PureRAT
PureRAT is a .NET-based remote access trojan and modular malware-as-a-service backdoor used across multiple financially motivated and phishing-driven campaigns. Reported delivery vectors include malicious LNK files, phishing emails with ZIP/XLL attachments disguised as Excel documents, ClickFix redirection chains, malicious ISO/software-installer lures, and archives delivered directly or via GitHub or Dropbox links. Several campaigns used multi-stage, largely fileless execution: PowerShell and obfuscated VBScript loaders, in-memory .NET assembly loading, DLL side-loading via AddInProcess32.exe, and steganographic concealment of PE payloads inside PNG images.
Observed defense-evasion and execution techniques include anti-VM checks for VMware and QEMU, UAC bypass via cmstp.exe, process hollowing into msbuild.exe, .NET Reactor/Themida protection, forged timestamps, certificate pinning, hidden PowerShell execution, and persistence via scheduled tasks, Run registry keys, Startup-folder LNK files, and other registry modifications. PureRAT has been described as supporting extensive remote control and command execution, host fingerprinting and system-information gathering, file transfer, PowerShell execution, screenshots, and modular plugins for keylogging, on-demand credential theft, remote desktop access, microphone/webcam monitoring, and active-window monitoring. One reported newer version included a PluginRemoteDesktop module that enables desktop control, screen transmission, keyboard/mouse emulation, and message sending to application windows.
PureRAT has been associated in reporting with campaigns targeting Russian organizations, including educational institutions, energy, finance, government, diplomatic entities, and Russian companies in construction, consulting, engineering, retail, e-commerce, and industry. It has also been identified as the core malware in hospitality-focused phishing campaigns abusing Booking.com workflows and targeting hotels and hotel customers via ClickFix. Other reporting links PureRAT to fake software-installer and cryptomining campaigns tracked as REF1695, as well as broader malware ecosystems involving PureMiner, PureLogs, PureCrypter, Lumma stealer, CNB Bot, SilentCryptoMiner, ResolverRAT, and PureHVNC. Threat actors and clusters explicitly mentioned alongside PureRAT include Fluffy Wolf, REF1695, and an as-yet unidentified group targeting Russian organizations that previously used RedLine, PureRAT, Cobalt Strike, and later Ravage.
High-confidence infrastructure and indicators directly mentioned in the content include crixup[.]com, instantservices1[.]ddnsguru[.]com, 178[.]16[.]52[.]58, windirautoupdates[.]top, winautordr.itemdb[.]com, winautordr.ydns[.]eu, winautordr.kozow[.]com, system-update-cloud.store, 64.20.56.185, 45.14.245.145, and port 4782 identified as a default PureRAT port. Additional URLs and artifacts referenced in delivery chains include tryinggim.vbs and PNG-hosted payload stages such as 0xptimized_MSI.png and GeneratedPay.png.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Также исследователи обнаружили новую версию PureRAT с плагином PluginRemoteDesktop, который раньше не использовался в атаках на российские организации.
However, instead of the promised software, a series of loaders installs a malicious toolkit including CNB Bot, PureRAT, and SilentCryptoMiner.
Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesДля первоначального проникновения злоумышленники рассылают фишинговые письма на корпоративные адреса. Вложения маскируются под документы Microsoft Excel: списки товаров, формы для заполнения и другие рабочие файлы.
В 2026 году атаки начинались через фишинговое письмо с ZIP-архивом, содержащим XLL-файл. Этот файл маскировался под легитимную надстройку для Microsoft Excel.
...а в других случаях жертве предоставляли ссылку на GitHub-репозиторий, откуда загружался RAR-архив. По словам исследователей, Fluffy Wolf активно использует GitHub, потому что такие ссылки выглядят легитимно и помогают обходить почтовые фильтры...
Execution
9 techniquesFollowing this, the VBScript utilizes Windows Management Instrumentation (WMI) to launch a new process configured to run invisibly.
before copying itself and establishing a Task Scheduler job for persistence
Once deployed through the ClickFix redirection mechanism, PureRAT executes PowerShell commands that gather system information and download additional payload files.
При запуске архива все файлы распаковываются во временный каталог. Затем выполняется batch-файл, который подготавливает интерпретатор и скрипт, после чего запускает последний.
downloads a heavily obfuscated VBS file to circumvent detection
При запуске архива все файлы распаковываются во временный каталог. Затем выполняется batch-файл, который подготавливает интерпретатор и скрипт, после чего запускает последний. Скрипт для AutoIt весом 1,5 МБ содержит вредоносную нагрузку...
The function begins by declaring the necessary APIs for the RunPE operation. The mere presence of these specific APIs is highly indicative of RunPE or other process-injection methods.
When users land on ClickFix pages, they encounter Booking.com brand elements alongside a reCAPTCHA interface prompting them to copy commands.
Двойной клик по нему запускал приложение Excel, которое загружало в свой процесс исполняемую DLL-библиотеку, что приводило к запуску вредоносного кода.
Persistence
3 techniquesbefore copying itself and establishing a Task Scheduler job for persistence
The installation process creates Run registry keys under CurrentVersion\Run that execute PowerShell commands loading the extracted binary. Additionally, shortcut files (.lnk) are placed in the Windows Startup directory to trigger execution during boot sequences.
Privilege Escalation
4 techniquesbefore copying itself and establishing a Task Scheduler job for persistence
Скрипт расшифровывает файл, запускает процесс RegAsm.exe и внедряет вредоносную нагрузку в этот процесс.
The installation process creates Run registry keys under CurrentVersion\Run that execute PowerShell commands loading the extracted binary. Additionally, shortcut files (.lnk) are placed in the Windows Startup directory to trigger execution during boot sequences.
Stealth
6 techniquesСкрипт расшифровывает файл, запускает процесс RegAsm.exe и внедряет вредоносную нагрузку в этот процесс.
fetch a PNG file with a base64-encoded PE payload and another PNG file, whose decoded assembly is directly loaded into memory
The .exe binary triggers DLL side-loading using AddInProcess32.exe, a legitimate Windows component designed to host COM add-ins.
Скрипт расшифровывает файл, запускает процесс RegAsm.exe и внедряет вредоносную нагрузку в этот процесс.
Multiple VMware and QEMU virtual machine environment checks are then conducted
whose decoded assembly is directly loaded into memory
Credential Access
3 techniquesAdditional plugins have also allowed keylogging, on-demand credential theft
Этот модуль позволяет злоумышленникам полноценно управлять рабочим столом жертвы: передавать изображение экрана, отслеживать активные окна, эмулировать ввод с клавиатуры и мыши...
Discovery
3 techniquesThis specific method is tasked with harvesting the current domain and username from the infected host.
The loader gathers comprehensive system information including machine name, current user, Windows version, and installed antivirus products before downloading a ZIP archive containing executable and dynamic link library files.
Lateral Movement
1 techniqueMITRE ATT&CK Tactic ATT&CK Technique (Technique ID) ... Lateral movement T1021.002 - Remote Services: SMB/Windows Admin Shares
Collection
3 techniquesЭтот модуль позволяет злоумышленникам полноценно управлять рабочим столом жертвы: передавать изображение экрана, отслеживать активные окна, эмулировать ввод с клавиатуры и мыши...
Файл Putty.exe представляет собой самораспаковывающийся CAB-архив... внутри которого находятся разделенные на несколько файлов интерпретатор AutoIt и скрипт для него, а также batch-файл.
Command and Control
7 techniquesCommand and Control Fallback Channels T1008 22 C2 IPs, 8 domains, 10+ port options
The infrastructure commonly supports ransomware command and control (C2) servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging.
Command and Control Application Layer Protocol T1071.001 HTTPS C2 with certificate pinning
Once fully deployed, PureRAT exhibits modular capabilities... It then establishes a persistent connection to a command-and-control (C2) server, operating as a dynamic listener for incoming taskings.
Далее цепочка заражения приводит к скачиванию дополнительных компонентов с взломанного сайта. Один из них представляет собой биндер для доставки известных бэкдоров и стилеров, включая PureRAT. Второй запускает PowerShell-скрипт, который в конечном итоге загружает Ravage.
Также исследователи обнаружили новую версию PureRAT с плагином PluginRemoteDesktop... Этот модуль позволяет злоумышленникам полноценно управлять рабочим столом жертвы: передавать изображение экрана, отслеживать активные окна, эмулировать ввод с клавиатуры и мыши...
Command and Control Non-Standard Port T1571 Ports 56001, 4782, 1337, 7777, 9090
IOCs tracked for this family
93 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
43 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Known backdoor/RAT delivered by one of the downloaded components in the infection chain; also noted as a tool previously used by the attackers.
Backdoor payload delivered via an AutoIt-based chain. The script decrypts an embedded executable, launches RegAsm.exe, and injects the PureRAT payload into that process.
Удаленный троян, новая версия которого включает модуль PluginRemoteDesktop для полноценного управления рабочим столом жертвы, передачи изображения экрана, отслеживания активных окон и эмуляции ввода клавиатуры и мыши.
A .NET-based remote access trojan delivered through a multi-stage chain involving a malicious LNK, PowerShell, obfuscated VBS, and PNG files carrying encoded payloads. It performs host fingerprinting and extensive device information gathering, with plugins enabling keylogging, on-demand credential theft, and remote desktop access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.