Pulsar RAT has emerged as a sophisticated derivative of the open-source Quasar RAT, introducing dangerous enhancements that enable attackers to maintain invisible remote access through advanced evasion techniques.
This modular Windows-focused remote administration tool represents a significant evolution in threat sophistication.
Combining memory-only execution with hidden virtual network computing (HVNC) capabilities that circumvent traditional detection methods.
Technical Architecture and Capabilities
Pulsar operates using a client-server model, with TLS-encrypted communication and the MessagePack binary protocol for efficient command transmission.
The malware establishes persistence via UAC bypass mechanisms and by creating scheduled tasks at system logon with elevated privileges.
What distinguishes Pulsar from predecessors is its comprehensive feature set:
| Feature | Description |
|---|---|
| Keylogging | Records keystrokes to capture sensitive user input. |
| Clipboard Hijacking | Replaces cryptocurrency wallet addresses in the clipboard. |
| Credential Theft | Steals credentials using the integrated Kematian Grabber module. |
| File Management | Allows attackers to browse, upload, and download files. |
| Remote Shell | Enables execution of commands on infected systems. |
| Data Exfiltration | Collects and sends stolen data to attacker-controlled servers. |
The malware retrieves its command-and-control configuration from public pastebin sites. It decrypts payloads using embedded cryptographic keys to obtain C2 server addresses.
This approach adds operational flexibility while reducing direct infrastructure exposure. Pulsar’s sophistication lies in its multi-layered anti-analysis arsenal.
The malware includes anti-virtualization checks that inspect disk labels for indicators of virtual machines, including “QEMU HARDDISK” and common hypervisor signatures.
Upon detection, execution halts immediately, preventing sandbox analysis. Anti-debugging protections further obstruct security tool examination. Memory-only execution represents Pulsar’s most consequential innovation.
The malware loads payloads directly into memory via .NET reflection without writing files to disk, creating a fileless attack vector that bypasses disk-based security monitoring.
This approach eliminates forensic artifacts and dramatically reduces incident response visibility.
Code injection capabilities enable execution within legitimate processes, rendering detection based on process names ineffective.
Distribution and Attack Chains
Recent samples demonstrate distribution through supply chain compromises.
A notable 2025 npm package campaign used malicious libraries “soldiers” and “@mediawave/lib” employing seven-layer obfuscation, including Unicode variable encoding, hexadecimal conversion, Base64 encoding, and steganography embedded in PNG images.
Post-install scripts automatically delivered payloads to developers, achieving hundreds of weekly downloads before detection.
ANY.RUN sandbox analysis reveals typical deployment sequences: malicious BAT files execute UAC bypass operations by clearing DelegateExecute registry values and injecting commands into ms-settings registry keys.
The mechanism launches computerdefaults.exe with elevated privileges, subsequently creating scheduled tasks configured for persistence at every user logon.
Pulsar primarily targets Window/s users and organizations that lack advanced endpoint detection and response (EDR) solutions, with a particular focus on developers through supply-chain mechanisms.
Recent detections involved multi-RAT deployments dropping Pulsar alongside Quasar, NjRAT, and XWorm variants through open directories, suggesting both opportunistic and targeted infection campaigns.
Analysis tags from recent samples include evasion, crypto-regex patterns, donut loaders, rust-based components, and Python implementations, indicating evolving attack frameworks and continuous development.
The malware’s modular design permits seamless plugin additions for customization based on specific campaign objectives and target environments.
Organizations face substantial operational impact from Pulsar infections, with remediation requiring 200-500 person-hours and extending beyond technical compromise to intellectual property theft and regulatory violations.
The malware’s sophisticated anti-analysis techniques and fileless execution methods demand layered defense controls combining EDR platforms, network segmentation, and user security awareness training.
Detection requires integrated threat intelligence combining indicator searches, sandbox analysis, and network infrastructure correlation.
Security teams investigating Pulsar should query threat intelligence platforms using indicators, including destination IP addresses, C2 infrastructure, and behavioral signatures associated with memory-only execution and HVNC operations.
Pulsar RAT’s combination of stealth capabilities, comprehensive functionality, and supply chain attack vectors positions it as an emerging critical threat requiring immediate organizational attention and defensive prioritization.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
