PureRAT Escalates Cyber Threat with Modular Infostealer Tactics

09 Oct 2025

Huntress Labs has uncovered a sophisticated cyber threat, PureRAT, which evolves from a Python-based infostealer to a fully capable remote access trojan. This threat targets users with a chain of payloads that leverage phishing and process hollowing to gain control of the host system.

In-depth threat analysis

The attack begins with a phishing email concealing a malicious ZIP file, which contains a compromised PDF reader and a version.dll executable used for DLL hijacking. The decoded components, including a renamed Python interpreter called svchost.exe, are stored under C:\Users\Public\Windows.

Further phases employ Python scripts employing Base64 and Base85 encoding, escalating through hybrid cryptography with RSA, AES, RC4, and XOR. Persistence is maintained using a Run key labeled "Windows Update Service".

The infostealer phase targets browser credentials and exfiltrates data through the Telegram Bot API.

Key facts

  • Huntress Labs discovered PureRAT chaining ten payloads in 2025.
  • The attack starts with a Python infostealer exploiting phishing techniques.
  • PureRAT uses .NET assembly for process hollowing and fileless execution.
  • The command and control utilizes IP 157.66.26.209 with ports 56001–56003.
  • The threat is linked to the PXA Stealer family and uses the Telegram handle @LoneNone.

Impact / What’s next

PureRAT leverages commercially available malware, increasing its operational capabilities. It advanced from using interpreted scripts to filingless, memory-resident codes, escalating threat levels significantly.

According to Huntress Labs, detecting this threat requires layered defenses against cryptographic techniques, abuse of system tools like certutil, and tampering with AMSI and ETW. With indications linking the threat to Vietnam, infrastructure suggests a shared use of malware components by actors like "PureCoder".

Security teams should be vigilant of PureRAT's sophisticated tradecraft involving dynamic loading of operator-specified plugins like HVNC and keylogging.

Update: 09 Oct 2025

Top charts for Desktop Windows

uTorrent

uTorrent

Latest update uTorrent download for free for Windows PC or Android mobile

5
1032 reviews
7508736
downloads
Zona

Zona

Latest update Zona download for free for Windows PC or Android mobile

4
614 reviews
1736197
downloads
WinRAR

WinRAR

Streamline file management with fast compression, secure your documents, and save space.

5
735 reviews
746911
downloads
Minecraft

Minecraft

Shape environments, explore vast worlds, and survive against monsters with endless creativity.

5
750 reviews
498383
downloads

Comments (0)

Создание новых комментариев временно недоступно.

No comments yet. Be the first to comment!