PureRAT Malware: What Lies Behind Sophisticated Phishing Attacks

What Is PureRAT and Why Is It Making Headlines?

PureRAT is a remote access Trojan (RAT) that has gained attention for being at the center of a sharp rise in phishing attacks targeting Russian organizations. First observed in early 2023, this malware quietly lingered in the background until early 2025.

While the perpetrators' identities remain unknown, the method of attack is all too familiar: a phishing email arrives containing either a RAR archive or a link to one, cleverly disguised to look like a harmless Microsoft Word or PDF document. These deceptive file names often use double extensions (e.g., .pdf.rar) to trick users into opening them, believing they're interacting with a common file type.

How the Attack Unfolds: A Layered Delivery Method

Once opened, the archive contains an executable file. When the victim runs it, the malware quietly installs itself onto the Windows system, copying itself to the AppData folder under the name "task.exe." From there, it drops a Visual Basic Script into the system's startup folder to ensure it runs every time the machine is rebooted.

This initial payload unpacks yet another file named "ckcfb.exe," which uses a legitimate Windows tool, InstallUtil.exe, to inject the next stage of the malware. At this point, a key file called "Spydgozoi.dll" is decrypted and run, unleashing the main PureRAT backdoor.

Capabilities Beyond Simple Surveillance

PureRAT isn't just a backdoor—it's a multi-functional espionage tool. It immediately establishes a secure SSL connection with its command-and-control (C2) server. It sends system details back to the attacker, such as antivirus software in use, computer name, and uptime. Once the connection is active, the malware can download and activate various modules to extend its functionality.

These modules include:

  • PluginPcOption: Allows the malware to delete itself, restart its operations, or force a shutdown/reboot of the system.
  • PluginWindowNotify: Monitors open windows for keywords like "password" or "bank," potentially enabling real-time surveillance or redirection.
  • PluginClipper: Acts as a clipboard hijacker, replacing any copied cryptocurrency wallet address with one controlled by the attacker.

More Than Just a RAT: Enter PureCrypter and PureLogs

The complexity doesn't end with PureRAT. The initial executable also deploys another component named "StilKrip.exe." This isn't malware developed from scratch, but a commercially available downloader called PureCrypter, active since 2022 and often used in criminal campaigns to drop additional threats.

PureCrypter fetches and executes a file known as "Bghwwhmlr.wav," which continues the chain by calling InstallUtil.exe again. Eventually, this leads to the execution of a file named "Ttcxxewxtly.exe," which extracts a final payload: the PureLogs stealer.

PureLogs is a comprehensive information-harvesting tool that scans browsers and email clients, VPN apps, password managers, and cryptocurrency wallets. It can even collect credentials from FTP clients like FileZilla and WinSCP.

Implications for Organizations and Cyber Defenses

What sets PureRAT apart is its modular structure and quiet persistence. It's not just an infection—it's a platform that provides attackers with nearly full control of a compromised system. From monitoring keystrokes and controlling webcams to silently mining data, the malware enables a broad range of cyber espionage activities.

For businesses, especially those in sectors handling sensitive data, this means increased risk not only of data theft but also of potential operational disruptions. A compromised system might remain under the radar for weeks or months, allowing attackers to steadily siphon off valuable information.

Defending Against the Invisible Invader

The primary entry point for PureRAT remains phishing emails. This underlines the critical need for robust email security protocols, user training, and endpoint protection solutions. Organizations should focus on monitoring unusual activity, implementing multi-factor authentication, and keeping systems and software up to date.

Cybersecurity experts also recommend sandboxing email attachments and implementing behavioral detection techniques that can catch malware even when it uses legitimate system tools like InstallUtil.exe to hide its tracks.

A Wake-Up Call, Not a Cause for Panic

The rise of PureRAT and its associated components like PureCrypter and PureLogs signals an evolution in malware tactics—one that blends social engineering, legitimate tools, and off-the-shelf components into a potent threat. However, with awareness, preparation, and the right security posture, organizations can effectively guard against these complex threats. The goal is not to create fear but to encourage vigilance and informed action in the face of increasingly sophisticated cyber campaigns.

By Willa
May 22, 2025
Trojan
English
May 22, 2025
Trojan

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

1 month ago

What is the OperaGXSetup.exe File and is it Malicious?

12 months ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

8 months ago

PayPal - You Added A New Address Email Scam

3 months ago

Omega Ad Blocker: A Misleading Extension That Acts as Adware

3 months ago

Related Posts

Malware

OpenDocument Malware Attacks Hotel Chains

A recently detected malware attacking hotels in Latin America is keeping security researchers very busy, due to its furtiveness and sophistication. The malware, named OpenDocumen has very distinctive features, which... Read more

July 21, 2022
Malware

Bobik Malware Linked with Attacks in Ukraine

Bobik is the name of a piece of malware acting like a remote access trojan. Security researchers have linked Bobik to a threat actor known for its pro-Russian attitudes, known by the alias NoName 057(16). According to... Read more

September 9, 2022
Malware

Phishing Email Documents Deliver the MetaStealer Malware

MetaStealer Malware is a dangerous threat, which is being distributed through fake phishing emails that contain malicious attachments. The attached files might look like documents and archives but, in reality, they... Read more

April 7, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.