PureRAT malware activity in a multi-stage intrusion chain
Malware Activity
Summary
Hide ▲
Show ▼
The PureRAT backdoor was deployed as the final stage of a multi-stage intrusion chain, giving operators complete control over compromised hosts and enabling surveillance, persistence, and follow-on modules. The implant used encrypted C2 and in-memory loading to stay hidden while the operator established a durable foothold. The delivery path combined phishing, loaders, and defense-evasion steps before the RAT was activated.
Related Happenings
RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Malware Activity
First: 25.05.2026 12:32
Last: 25.05.2026 12:32
Sources 1
About this happening:
The **RemotePE** malware has been tied to **Lazarus Group** activity against **financial and cryptocurrency organizations**, raising the risk of stealthy long-term access and late...
RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Malware ActivityAbout this happening: The **RemotePE** malware has been tied to **Lazarus Group** activity against **financial and cryptocurrency organizations**, raising the risk of stealthy long-term access and late...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware Activity
First: 27.02.2026 12:06
Last: 27.02.2026 12:06
Sources 1
About this happening:
The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware ActivityAbout this happening: The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware ActivityAbout this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
Timeline
-
09.10.2025 17:01 2 articles · 7mo ago
PureRAT deployment in a multi-stage phishing intrusion chain
Technical Analysis UpdateA multi-stage intrusion chain culminated in the deployment of the commercial PureRAT backdoor after a phishing-delivered ZIP archive, DLL sideloading, in-memory Python loaders, and Telegram Bot API exfiltration. The later stages shifted into .NET process hollowing with RegAsm.exe, registry persistence under a Windows Update Service run key, defense evasion against AMSI and ETW, and encrypted C2 with TLS pinning tied to the final PureRAT configuration.
Show sources
- From infostealer to full RAT: dissecting the PureRAT attack chain — www.bleepingcomputer.com — 09.10.2025 17:01
- From infostealer to full RAT: dissecting the PureRAT attack chain — www.bleepingcomputer.com — 09.10.2025 17:01