PureHVNC RAT Spreads Through Fake Job Offers and Multi-Stage Obfuscation • Daily CyberSecurity

A new wave of attacks uncovered by Netskope Threat Labs reveals a sophisticated global malware campaign delivering the PureHVNC remote access trojan (RAT) through a deceptive chain of fake job offers and multi-stage payload obfuscation. The campaign demonstrates a high level of technical complexity, making detection and defense increasingly difficult for security teams.

The infection chain is initiated through LNK files disguised as PDFs, which lure victims with fake job offers from well-known brands such as Bershka, Fragrance Du Bois, John Hardy, and Dear Klairs.

“These lures suggest that the campaign is targeting people looking for high-profile marketing jobs worldwide, specifically in the beauty market,” the report warns.

Victims are enticed into opening these files, which execute PowerShell commands leading to a cascade of obfuscated payloads hidden in HTA, JavaScript, AutoIt, and .NET loaders.

The infection unfolds in the following stages:

Initial LNK Download: A dual-extension LNK file (e.g., .pdf.lnk) executes a PowerShell script.
Obfuscated PowerShell & mshta Loader: The script decodes another script, sets the clipboard, and uses mshta.exe to download a fake MP4 file that contains malicious JavaScript.
JavaScript Payloads: The MP4 file contains hidden JS scripts inside <script> tags that decode and execute additional scripts.
Fake Job Offer & Executable Drop: A legitimate-looking PDF and a malicious PE file (e.g., phom.exe) are downloaded and run.
AutoIt and CypherIT Obfuscation: An AutoIt binary downloads more components, writes a new PowerShell script, and executes a heavily obfuscated AutoIt script using CypherIT to evade detection.
Persistence via Startup Folder: A JS file named SwiftWrite.js is placed in a startup folder and executed via a shortcut named SwiftWrite.url.
Process Hollowing Technique: A payload is injected into either AppLaunch.exe or jsc.exe using Process Hollowing, with explorer.exe spoofed as the parent process.
.NET Loader and Decryption: The final payload is a .NET-based loader that decrypts and decompresses a DLL identified as the PureHVNC RAT.

“The injected payload is a .NET binary that acts like a loader and has the simple task of decrypting and executing an embedded payload,” the report explains.

Once deployed, PureHVNC gives the attacker full remote control of the compromised system, allowing lateral movement, tool deployment, and further malware infections.

The RAT’s configuration is base64-encoded and GZip-compressed. The report lists campaign IDs and associated command and control (C2) servers, including:

Campaign ID	C2 address
phom0	85.192.48.3
boom0	85.192.48.3
lu:	139.99.188.124
cuoi0	85.192.48.3
Spam Mail0	139.99.188.124
boom:	139.99.188.124
lu0	85.192.48.3

The malware checks for AV-related processes (e.g., Bitdefender, Kaspersky, Avast) and terminates if emulation environments are detected. Filenames and binaries are also adjusted based on whether AV software is running.

“The script is heavily obfuscated, containing junk functions, junk instructions, and with all of its relevant strings obfuscated.”

This campaign highlights how social engineering and advanced obfuscation tactics are converging to bypass modern defenses. The use of legitimate tools (e.g., PowerShell, AutoIt, mshta) and plausible lures makes this attack particularly stealthy and dangerous.

“The PureHVNC RAT is mainly used to give full system access to the attacker, allowing the upload of new malware, tools, and so on,” the report concludes.

Organizations should enhance detection of dual-extension files, monitor for PowerShell and mshta abuse, and educate employees about job scam phishing tactics.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply