PureRAT Malware
Cybersecurity researchers have uncovered a major phishing campaign targeting Russian organizations, delivering a backdoor malware known as PureRAT. Though the campaign began in March 2023, it saw a dramatic surge in early 2025, quadrupling the number of attacks seen during the same period in 2024. While no specific threat actor has been identified, the methods and malware used indicate a highly coordinated operation.
Table of Contents
Deceptive Delivery: The Anatomy of the Attack
The attack initiates with a phishing email that contains a .RAR archive or a download link. Disguised with misleading double extensions (e.g., doc_054_[redacted].pdf.rar), the archive pretends to be a Microsoft Word or PDF file. Once the victim opens the file, an executable inside is launched.
This executable performs several stealthy actions:
- Copies itself to %AppData% as task.exe
- Creates a Task.vbs script in the Startup folder for persistence
- Extracts and runs ckcfb.exe
In turn, ckcfb.exe proceeds to use InstallUtil.exe to execute a decrypted module. It also decrypts and loads Spydgozoi.dll, which contains the primary PureRAT payload.
Remote Control: What PureRAT can Do
After gaining a foothold, PureRAT establishes an encrypted connection with a Command-and-Control (C2) server and relays system information. It can then receive and execute corrupted modules, such as:
PluginPcOption
- Executes self-deletion
- Restarts malware processes
- Shuts down or reboots the system
PluginWindowNotify
- Monitors active windows for sensitive keywords (e.g., password, bank)
- Can initiate actions like unauthorized fund transfers
PluginClipper
- Replaces copied cryptocurrency wallet addresses with attacker-controlled ones
Additionally, PureRAT provides attackers with:
- Keylogging
- Remote desktop control
- Access to files, the registry, camera, microphone and running processes
Layered Infection: More than Just PureRAT
The initial executable also extracts StilKrip.exe, a commercial downloader known as PureCrypter that has been in circulation since 2022. This tool proceeds to download a secondary file, Bghwwhmlr.wav, which triggers a new execution chain. This sequence ultimately launches Ttcxxewxtly.exe, leading to the activation of Bftvbho.dll, the core component of a second malware strain known as PureLogs.
PureLogs functions as a powerful information stealer. Once active, it silently harvests a wide range of sensitive data, including credentials and user information from Web browsers, email clients, VPN services and messaging applications. It also targets password managers, cryptocurrency wallet applications, and widely used file transfer tools such as FileZilla and WinSCP, giving attackers deep access to both personal and organizational data.
Conclusion: Email Still the Weakest Link
The combination of PureRAT and PureLogs offers cybercriminals extensive capabilities to spy, collect and control compromised systems. The ongoing use of phishing emails with harmful attachments or links continues to be the primary entry point, underscoring the critical need for robust email filtering and user awareness in organizational cybersecurity defenses.
