From Infostealer to Full RAT: Huntress Uncovers a Multi-Stage Malware Attack Deploying PureRAT

Huntress has published a detailed investigation into a recent intrusion campaign that began as a Python-based infostealer but escalated into the deployment of PureRAT, a commercially available remote access trojan (RAT). The findings highlight how attackers are combining custom-built loaders with off-the-shelf malware to achieve stealth, persistence, and full remote control over compromised systems.

The attack chain starts with a familiar lure. As Huntress notes, “The attack begins with a conventional phishing email containing a ZIP archive disguised as a copyright infringement notice. The archive contains a legitimate, signed PDF reader executable and a malicious version.dll.”

This DLL sideloading trick forces the legitimate program to load the attacker’s code. From there, the malware abuses certutil.exe and a bundled copy of WinRAR to unpack a hidden Python interpreter and script, which execute entirely in memory to avoid detection.

Each stage of the campaign builds on the previous one. Huntress explains, “The threat actor chained together ten distinct payloads/stages, progressively increasing in complexity to hide their ultimate objective.”

For persistence, the Python script leverages Windows registry keys: “The payload 4 script uses Python’s built-in winreg library to modify the system registry keys, adding a run key designed to look like a legitimate Windows component: Windows Update Service.”

Later stages pull fresh payloads from shortened URLs and Telegram bots, giving the attackers a flexible way to refresh their toolset.

Just when the operation looks like a straightforward infostealer campaign, the attackers escalate. Stage 3 transitions to .NET-based loaders using process hollowing of RegAsm.exe and advanced defense evasion, including AMSI patching and ETW unhooking.

The final stage delivers PureRAT, which Huntress identifies as the campaign’s ultimate payload. “After eight payloads/stages of loaders, stealers, and obfuscation, we finally arrive at the last payload… PureRAT, a modular, professionally developed backdoor that gives the attacker complete control over a compromised host.”

PureRAT features include:

• Encrypted TLS-pinned C2 communications.
• Host fingerprinting (OS, privileges, AV software, cryptowallets).
• Dynamic plugin loading for keylogging, webcam/microphone spying, hidden desktop access, and more.

A crucial clue was hidden in the stolen data archive metadata. Huntress observed, “A contact field pointing to the Telegram handle @LoneNone… has been publicly associated with the PXA Stealer malware family, giving us a strong attribution link.”

The infrastructure further ties the campaign to Vietnam, where C2 servers were located. Huntress concludes, “The recurring Telegram infrastructure, metadata linking to @LoneNone, and C2 servers traced to Vietnam strongly suggest this was carried out by the people behind PXA Stealer.”

PureRAT is part of a suite of tools marketed by the malware developer “PureCoder,” alongside PureCrypter, BlueLoader, and PureClipper. Huntress explains, “The pivot from a custom-coded stealer to a commercial RAT like PureRAT is significant. It lowers the barrier to entry for the attacker, giving them access to a stable, feature-rich, and ‘professionally’ maintained toolkit.”

This modularity makes the threat more dangerous, enabling attackers to extend capabilities on demand and persist in victim environments long term.

Related Posts:

• Ghost Crypt & PureRAT: New Stealthy Malware Targets Accounting Firm via “Process Hypnosis”
• PXA Stealer: New Malware Targets Governments and Education Across Europe and Asia
• New PXA Stealer Campaign Hits 62 Countries with Stealthy DLL Sideloading and Telegram Exfiltration
• A Security Engineer’s Mistake Led to a Ransomware Breach
• Urgent Zero-Day Warning: SonicWall VPNs Under Attack, Akira Ransomware Deployed Within Hours