Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actors

Pupy RAT

Pupy RAT is an open-source, Python-based remote access trojan/backdoor that provides attackers with full access to infected systems. The content describes it as a commodity RAT and notes capabilities including opening a backdoor, executing commands, stealing data, installing additional malware, moving laterally, downloading additional modules after execution, and using reflective DLL loading to evade detection. One cited campaign used phishing emails with ISO attachments containing a legitimate Microsoft-signed WerFault.exe, a malicious faultrep.dll, a decoy XLS file, and a shortcut that invoked scriptrunner.exe; through DLL sideloading, WerFault.exe loaded the malicious faultrep.dll, which created one thread to load the Pupy RAT DLL payload dll_pupyx64.dll into memory and another to open the XLS decoy. The use of WerFault.exe and sideloading was intended to reduce security alerts. The campaign was not conclusively attributed, though researchers assessed the operators were likely based in China. The malware has also been used by state-backed espionage actors including APT33/Elfin and APT35. Reported targeting associated with APT33 included government and private-sector organizations across sectors such as chemical, engineering, research, finance, telecoms, healthcare, manufacturing, IT, and energy consultancy, with victims in Saudi Arabia, the United States, and other countries. The content also notes Pupy RAT has used virtual machine fingerprinting techniques.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT33

Pupy RAT (Backdoor.Patpoopy): Commodity RAT that can open a backdoor on an infected computer.

via symantec enterprise blogssymantec-enterprise-blogs.security.com
Magic Hound

When the DLL is loaded in this attack, it will create two threads, one that loads Pupy Remote Access Trojan's DLL ('dll_pupyx64.dll') into memory and one that opens the included XLS spreadsheet to serve as a decoy.

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1
TacticInitial Access

The malware campaign starts with the arrival of an email with an ISO attachment.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1
TacticExecution

The victim starts the infection chain by clicking on the shortcut file, which uses 'scriptrunner.exe' to execute WerFault.exe.

T1204.002Malicious FileEvidence1
TacticExecution

When double-clicked, the ISO will mount itself as a new drive letter... The victim starts the infection chain by clicking on the shortcut file...

Persistence

1 technique
T1547.009Shortcut ModificationEvidence1
TacticsPersistencePrivilege Escalation

The victim starts the infection chain by clicking on the shortcut file, which uses 'scriptrunner.exe' to execute WerFault.exe.

Privilege Escalation

1 technique
T1547.009Shortcut ModificationEvidence1
TacticsPersistencePrivilege Escalation

The victim starts the infection chain by clicking on the shortcut file, which uses 'scriptrunner.exe' to execute WerFault.exe.

Stealth

3 techniques
T1036MasqueradingEvidence1
TacticStealth

The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable.

T1497.001System ChecksEvidence1
TacticsStealthDiscovery

"Virtual Machine Fingerprinting... used by the Pupy RAT" / "Windows Sandbox with Sensitive Configuration"

T1620Reflective Code LoadingEvidence1
TacticStealth

Pupy RAT is an open-source and publicly available malware written in Python that supports reflective DLL loading to evade detection...

Discovery

1 technique
T1497.001System ChecksEvidence1
TacticsStealthDiscovery

"Virtual Machine Fingerprinting... used by the Pupy RAT" / "Windows Sandbox with Sensitive Configuration"

Lateral Movement

1 technique
T1570Lateral Tool TransferEvidence1
TacticLateral Movement

The malware allows threat actors to gain full access to the infected devices, enabling them to execute commands, steal data, install further malware, or spread laterally through a network.

Command and Control

2 techniques
T1105Ingress Tool TransferEvidence1
TacticCommand and Control

Pupy RAT is an open-source and publicly available malware written in Python that supports reflective DLL loading to evade detection, and additional modules are downloaded later.

T1219Remote Access ToolsEvidence1
TacticCommand and Control

In addition to its custom malware, Elfin has also used a number of commodity malware tools... Remcos... DarkComet... Quasar RAT... Pupy RAT... NanoCore... NetWeird...

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
bleeping computerNews
Jan 4, 2023
Hackers abuse Windows error reporting tool to deploy malware

An open-source Python-based remote access trojan that supports reflective DLL loading to evade detection and can download additional modules. It gives attackers full access to infected devices, enabling command execution, data theft, further malware installation, and lateral movement.

Read more
symantec enterprise blogsNews
Mar 27, 2019
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. | SECURITY.COM

Commodity RAT used by Elfin to establish backdoor access on compromised systems.

Read more
elastic security labsNews
Mar 18, 2026
Prebuilt rule reference | Elastic Security [8.19] | Elastic

Remote Access Trojan (RAT) referenced as having used virtual machine fingerprinting techniques to identify virtualized environments.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.