Huntress Labs has uncovered a sophisticated cyber threat, PureRAT, which evolves from a Python-based infostealer to a fully capable remote access trojan. This threat targets users with a chain of payloads that leverage phishing and process hollowing to gain control of the host system.
In-depth threat analysis
The attack begins with a phishing email concealing a malicious ZIP file, which contains a compromised PDF reader and a version.dll executable used for DLL hijacking. The decoded components, including a renamed Python interpreter called svchost.exe, are stored under C:\Users\Public\Windows.
Further phases employ Python scripts employing Base64 and Base85 encoding, escalating through hybrid cryptography with RSA, AES, RC4, and XOR. Persistence is maintained using a Run key labeled "Windows Update Service".
The infostealer phase targets browser credentials and exfiltrates data through the Telegram Bot API.
Key facts
- Huntress Labs discovered PureRAT chaining ten payloads in 2025.
- The attack starts with a Python infostealer exploiting phishing techniques.
- PureRAT uses .NET assembly for process hollowing and fileless execution.
- The command and control utilizes IP 157.66.26.209 with ports 56001–56003.
- The threat is linked to the PXA Stealer family and uses the Telegram handle @LoneNone.
Impact / What’s next
PureRAT leverages commercially available malware, increasing its operational capabilities. It advanced from using interpreted scripts to filingless, memory-resident codes, escalating threat levels significantly.
According to Huntress Labs, detecting this threat requires layered defenses against cryptographic techniques, abuse of system tools like certutil, and tampering with AMSI and ETW. With indications linking the threat to Vietnam, infrastructure suggests a shared use of malware components by actors like "PureCoder".
Security teams should be vigilant of PureRAT's sophisticated tradecraft involving dynamic loading of operator-specified plugins like HVNC and keylogging.
