All news with #purerat tag

ClickFix Phishing Campaign Targets Hotels, Delivers PureRAT

🔒 Sekoia warns of a large-scale phishing campaign targeting hotel staff that uses ClickFix-style pages to harvest credentials and deliver PureRAT. Attackers impersonate Booking.com in spear-phishing emails, redirect victims through a scripted chain to a fake reCAPTCHA page, and coerce them into running a PowerShell command that downloads a ZIP containing a DLL-side‑loaded backdoor. The modular RAT supports remote access, keylogging, webcam capture and data exfiltration and persists via a Run registry key.

Phishing Campaign Targets Booking.com Partners and Guests

🔒 A large-scale phishing operation targeted Booking.com partner accounts and hotel staff, using impersonated emails and compromised hotel accounts to lure victims into running malicious commands. Attackers relied on redirection chains and the ClickFix social engineering tactic to execute PowerShell that delivered PureRAT. The remote access trojan enabled credential theft, screenshots and exfiltration, with stolen access sold or used to perpetrate payment fraud against guests.

From Infostealer to PureRAT: Dissecting an Escalating Attack

🔍 Huntress Labs analyzed a multi-stage intrusion that began with a phishing ZIP and DLL sideloading and escalated to deployment of the commercial PureRAT backdoor. The operator combined bespoke Python loaders and a Python-based infostealer with compiled .NET loaders, process hollowing, AMSI/ETW tampering, and reflective DLL injection to evade detection. Final-stage configuration revealed a Vietnam-hosted C2 (157.66.26.209) and Telegram infrastructure linked to PXA Stealer, underscoring a shift from custom theft to a professional RAT.

Researchers Expose SVG and PureRAT Phishing Threats

📧 Fortinet FortiGuard Labs and other researchers detailed phishing campaigns that weaponize malicious SVG attachments to initiate downloads of password-protected ZIP archives and Compiled HTML Help (CHM) files. Those CHM files activate loader chains that deliver CountLoader as a distribution stage for Amatera Stealer and the stealthy .NET miner PureMiner, both run filelessly via .NET AOT and memory-loading techniques. Separately, Huntress attributes a Vietnamese-speaking operator using copyright-themed lures that escalate from PXA Stealer to the modular backdoor PureRAT.

Phishing-to-PureRAT: Vietnamese Actor Upgrades Stealer

🛡️ Huntress researchers uncovered a multi-stage phishing operation that began with a Python-based infostealer and culminated in the deployment of PureRAT. The campaign used a ZIP lure containing a signed PDF reader and a malicious version.dll to achieve DLL sideloading, then progressed through ten staged loaders that shifted from obfuscated Python to compiled .NET binaries. Attackers used process hollowing against RegAsm.exe, patched Windows defenses (AMSI and ETW), and ultimately unpacked PureRAT, which communicates over encrypted C2 channels and can load additional modules. Metadata linking the activity to the handle @LoneNone and to the PXA Stealer family, plus a C2 server traced to Vietnam, supports attribution to Vietnamese threat actors.

PXA Stealer Upgrades to Multi-Layer Chain Deploying PureRAT

🔒 A Vietnamese threat group has evolved its custom PXA Stealer campaign into a multi-layered delivery chain that ultimately deploys PureRAT, a feature-rich remote access trojan. Huntress analysts describe a ten-stage sequence beginning with a phishing copyright lure and proceeding through obfuscated Python loaders, layered encoding (Base84, AES, RC4, XOR), and .NET reflective loading. The chain includes AMSI and ETW patching, TLS certificate pinning, registry persistence, and hallowing techniques to evade detection. Huntress linked the activity to the Telegram handle @LoneNone and Vietnamese C2 infrastructure and remediated an intrusion before full module deployment.