A phishing lure opened the door. At first glance it looked ordinary: a ZIP file, a signed PDF reader, a misplaced DLL. The DLL sideloaded itself into a trusted process and set the rest in motion.
According to Huntress, what followed was a deliberate climb from simple Python scripts to a polished, modular remote access trojan called PureRAT. The path matters, but the method matters more.
The chain used several steps, each of which removed friction for the attacker and increased resilience for the implant. No single control would have stopped it.
The Detail
The email held a ZIP and a copyright notice. Inside was a real PDF reader and a malicious version.dll. When the EXE ran, it loaded the DLL from the same folder: classic sideloading.
The DLL used certutil to decode a Base64 blob hidden in Document.pdf. That produced a second archive containing a renamed WinRAR, which dropped a renamed Python interpreter (svchost.exe) and an obfuscated script to C:\Users\Public\Windows.
Those Python pieces run only in memory. One decodes a huge Base85 blob and executes it. Another uses a mix of RSA, AES, RC4 and XOR to decrypt the next stage. The malware adds a Run key named “Windows Update Service” so the chain restarts at login.
The loaders fetch updates via Telegram bot descriptions and URL shorteners, letting the attacker swap payloads without touching the machine. Stage two is a Python infostealer that steals browser cookies, saved credentials, autofill data and cards, zips it up and sends it via the Telegram Bot API; the ZIP metadata contains a Telegram handle tied to PXA Stealer.
Next, a larger payload arrives: a .NET assembly plus shellcode. The attacker hollowed out a suspended RegAsm.exe, injected the .NET payload, then patched AmsiScanBuffer and unhooked EtwEventWrite to hide from telemetry. After multiple unpacking steps a protected DLL (Mhgljosy.dll) appears; it’s obfuscated with .NET Reactor.
Deobfuscated, a Base64 blob expands to GZip and then to protobuf. That revealed C2 IPs, ports and an X.509 certificate used for TLS pinning. Once the implant connects, it fingerprints the host (AVs, processor and disk IDs, memory identifiers, domain, webcams, privilege level, OS version, wallet files and browser extensions) then sits idle, ready to receive modular plugins from the operator.
The Capabilities
PureRAT is modular and feature-rich. It offers hidden desktop access, webcam and microphone control, real-time logging, remote command execution, file, process, and registry management, and the ability to push plugins to load additional features at will.
The RAT uses protobuf for messages, TLS with certificate pinning for C2, and dynamic in-memory module loading. It is a professional tool sold with a GUI and documentation.
Attribution Signals
Multiple telemetry points line up with PXA Stealer. The Telegram-based infrastructure, the @LoneNone handle in archive metadata, and C2 servers located in Vietnam are consistent with prior reporting.
SentinelLABS and Beazley Security have documented the early Python stages; this analysis extends that picture by detailing the PureRAT stage and its reflective .NET loading.
Why This Shift Matters
Moving from custom stealers to commodity RATs reduces effort for the attacker. Instead of building advanced persistence, remote control, and surveillance features themselves, they buy them. That reduces development time, increases operational tempo, and broadens the pool of potential operators. A novice with access to a commercial RAT gains capabilities near parity with more skilled actors.
For defenders, the change is subtle and dangerous. Commodity tools are maintained and improved. They receive feature updates and bug fixes and include built-in evasion. They are designed to be used by people who may not understand the full technical stack, but who can still cause real harm.
BOLO
According to Huntress, indicators and behaviors to hunt for are:
- Signed document reader executables launching DLLs from local directories.
- certutil decoding data from files that appear to be documents.
- Renamed legitimate binaries used to host Python interpreters.
- Large Base85 or Base64 blobs executed in memory.
- Run keys mimicking legitimate services, especially created by Python processes.
- Unexpected TLS certificates presented by clients; evidence of pinned certificates in binaries.
- AMSI patching or ETW unhooking behavior detected in memory.
- Telegram API traffic used for exfiltration or command conduits.
As always, train users. Block or flag certutil usage for document decoding patterns and monitor process creation chains, particularly signed binaries spawning unexpected children.
Detect process hollowing and reflective assembly loads, and validate TLS certificates presented by outbound clients. Harden logging so WMI queries and unusual registry writes raise alerts and use behavioral detections that do not rely solely on static signatures.
Read the full Huntress report here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.