Pulsar

Pulsar is described in the provided content as a popular, well-known open-source Remote Access Trojan (RAT) targeting Windows systems. It appears in two contexts: as a payload supported by the crypter-as-a-service platform epsteincrypter[.]su, which advertised FUD encryption for .NET malware including DarkComet, Pulsar, and Quasar RAT; and as the final payload in a malicious NPM supply-chain campaign involving the typosquatted package buildrunner-dev.

In the NPM campaign, installation of buildrunner-dev triggered a postinstall script (init.js) that downloaded an obfuscated batch loader from a Codeberg repository, established persistence via the Windows Startup folder and %AppData%\protect.bat, checked for administrative rights, and used a fodhelper.exe UAC bypass to elevate privileges. The malware then launched hidden PowerShell through conhost.exe, enumerated installed antivirus products, and downloaded steganographic PNG images from ImgBB (i.ibb[.]co). These images concealed an AMSI-bypass PowerShell script, a compressed .NET loader, and a third image acting as a live C2 channel. The .NET loader used process hollowing/RunPE, AMSI bypass techniques, encryption/decryption, and reflective loading to ultimately decrypt, decompress, and load the final Pulsar payload into a legitimate Windows process.

High-confidence indicators and artifacts directly mentioned in the content include packageloader.bat, %AppData%\protect.bat, JJYDJO.exe, and the steganographic PNGs 6b8owksyv28w.png, 0zt4quciwxs2.png, and hxxps://i.ibb[.]co/tpyTL2Zg/s9rugowxbq8i.png. The campaign specifically leveraged Codeberg-hosted staging content, ImgBB-hosted steganographic payload delivery, hidden PowerShell execution, process hollowing, and UAC bypass. No specific threat actor attribution for Pulsar itself is provided in the content.