Modern malware continues to evolve in complexity, and PureRAT stands as a strong example of how attackers are leveraging stealth, modularity, and advanced evasion techniques to bypass traditional defenses. This remote access trojan (RAT) employs a highly layered infection chain, combining fileless execution, steganography, and process injection to remain undetected while maintaining full control over compromised systems.
This article breaks down the full attack lifecycle of PureRAT, from initial infection to post-exploitation behavior.
Infection Chain Overview
The attack begins with a seemingly harmless .LNK (shortcut) file, a commonly abused vector in modern phishing campaigns. When executed, the shortcut silently launches a hidden PowerShell command using execution policy bypass techniques. This command downloads a heavily obfuscated VBScript loader, initiating the next stage of the attack.
The VBScript acts as a central orchestrator. It copies itself into a public directory using randomized filenames and establishes persistence via Windows Task Scheduler, ensuring execution every minute. Additionally, it leverages WMI (Windows Management Instrumentation) to run processes invisibly, making detection significantly harder.
Stage 2: Obfuscation and Fileless Execution
A notable aspect of PureRAT is its heavy use of obfuscation. The VBScript contains large volumes of junk data designed to mislead analysts. However, hidden within this noise is a PowerShell script that drives the next phase.
This PowerShell loader retrieves what appears to be a normal PNG image from a remote server. In reality, the image contains a base64-encoded malicious payload embedded using steganography. The script extracts the encoded data, reconstructs it, and loads it directly into memory using .NET reflection.
This approach ensures fileless execution, meaning no traditional executable is written to disk—dramatically reducing detection by antivirus tools.
Stage 3: Advanced Evasion Techniques
PureRAT employs several sophisticated evasion mechanisms:
- UAC Bypass via cmstp.exe
By abusing a trusted Windows binary, the malware gains elevated privileges without triggering user prompts. - Process Hollowing (RunPE Injection)
The malware injects itself into a legitimate process, specifically Msbuild.exe, replacing its memory with malicious code while keeping the original file intact. This allows it to run under the guise of a trusted process. - Anti-VM Checks
The malware detects virtual environments like VMware and QEMU by analyzing MAC addresses and system artifacts, avoiding execution in analysis sandboxes.
Stage 4: Persistence and System Control
Persistence is achieved through multiple redundant mechanisms:
- Scheduled tasks running every minute or five minutes
- Registry modifications under autorun keys
- Hidden execution using
conhost.exe --headless
These techniques ensure that even if one persistence method is removed, others remain active.
Stage 5: Payload Execution and Decryption
The embedded payload is a .NET executable protected with .NET Reactor, making reverse engineering more difficult. Once decrypted using TripleDES encryption, the payload is executed entirely in memory.
This stage highlights PureRAT’s reliance on in-memory execution, avoiding disk artifacts and making forensic analysis significantly more challenging.
Final Payload: PureRAT Capabilities
Once fully deployed, PureRAT begins its primary operations:
1. Host Fingerprinting
The malware gathers extensive system information, including:
- Installed security software
- Hardware identifiers (CPU, disk, memory)
- User privileges and domain details
- Operating system version
- Presence of webcams and devices
2. Cryptocurrency Wallet Discovery
It scans for browser extensions, registry keys, and file paths associated with crypto wallets, indicating potential financial targeting.
3. Idle Tracking
Using Windows APIs, it monitors user inactivity, which can help attackers time their actions.
4. Command-and-Control (C2) Communication
PureRAT establishes a persistent connection with its C2 server, acting as a listener for incoming commands. Data is exchanged using Base64 encoding, GZip compression, and Protocol Buffers, ensuring efficient and stealthy communication.
| C2 server IP | Coverage |
| hxxps://crixup[.]com | Malicious Sites-High Risk |
| hxxp://instantservices1[.]ddnsguru[.]com | PUPs (potentially unwanted programs) |
| 178[.]16[.]52[.]58 | Malicious Sites-High Risk |
5. Modular Architecture
One of its most dangerous features is its modular design. Instead of deploying all capabilities at once, attackers can dynamically load plugins for:
- Keylogging
- Remote desktop access
- Microphone and webcam surveillance
This flexibility allows attackers to adapt their strategy based on the target environment.
| Tactic | ATT&CK Technique (Technique ID) |
| Execution | T1059.001 – Command and Scripting Interpreter: PowerShell T1106 – Native API T1047 – Windows Management Instrumentation T1053.005 – Scheduled Task/Job: Scheduled Task |
| Persistence | T1112 – Modify Registry |
| Privilege escalation | T1055.002 – Process Injection: Portable Executable Injection T1055.012 – Process Injection: Process Hollowing |
| Defense evasion | T1620 – Reflective Code Loading T1218 – System Binary Proxy Execution T1027.009 – Obfuscated Files or Information: Embedded Payloads T1027 – Obfuscated Files or Information T1140 – Deobfuscate/Decode Files or Information T1202 – Indirect Command Execution T1055.012 – Process Injection: Process Hollowing |
| Discovery | T1033 – System Owner/User Discovery T1087.001 – Account Discovery: Local Account T1083 – File and Directory Discovery |
| Lateral movement | T1021.006 – Remote Services: Windows Remote Management T1021.002 – Remote Services: SMB/Windows Admin Shares |
| Command and control | T1105 – Ingress Tool Transfer T1071 – Application Layer Protocol T1104 – Multi-Stage Channels |
Defensive Recommendations
To mitigate threats like PureRAT:
- Enforce strict PowerShell and script execution policies
- Monitor usage of legitimate binaries like
cmstp.exeandMsbuild.exe - Detect abnormal scheduled task creation patterns
- Monitor registry autorun keys
- Block known malicious domains and unusual outbound connections
- Apply least privilege principles across systems
Our Opinion on the PureRAT Case
PureRAT represents a clear shift in attacker strategy—from noisy, easily detectable malware to stealth-first, modular cyber weapons. What stands out most is not just the technical sophistication, but the deliberate layering of techniques designed to defeat both automated defenses and human analysts.
The use of steganography combined with fileless execution is particularly concerning. It highlights how attackers are exploiting trust boundaries—turning harmless-looking files like images into delivery mechanisms. This significantly raises the bar for detection, especially in environments still reliant on signature-based security.
Equally notable is the abuse of legitimate Windows tools. By leveraging binaries like cmstp.exe and Msbuild.exe, attackers blend into normal system activity, making behavioral detection far more challenging. This reinforces the idea that “living off the land” tactics are becoming the norm rather than the exception.
From a defensive standpoint, this case emphasizes the need for behavior-based detection, threat hunting, and strong endpoint visibility. Organizations can no longer depend solely on traditional antivirus solutions.
In conclusion, PureRAT is not just a malware sample—it’s a blueprint for modern cyberattacks. It demonstrates how adaptability, stealth, and modularity define the next generation of threats.
