The PureHVNC remote administration tool (RAT) has emerged as a sophisticated component of the Pure malware family, gaining prominence in mid-2025 amid an uptick in targeted intrusion campaigns.
Originating from underground forums and Telegram channels, PureHVNC is marketed by its author, known as PureCoder, alongside companion tools such as PureCrypter, PureLogs, and PureMiner.
Its adoption by cybercriminal customers reflects a growing demand for modular malware suites capable of stealthy full system control and data exfiltration.
Initial deployments have leveraged the ClickFix phishing technique, luring victims with counterfeit job offers to execute malicious scripts, setting the stage for multi-stage intrusions.
In one notable incident, attackers deployed a Rust Loader, followed by PureHVNC RAT and the Sliver command-and-control framework over an eight-day window.
Check Point analysts noted that during this campaign, PureHVNC communicated with its control server to retrieve three GitHub URLs hosting supporting modules, directly implicating the developer’s own GitHub accounts in the malware’s operational infrastructure.
These GitHub repositories contained browser driver executables and plugin files essential for TwitchBot and YouTubeBot functionalities, illustrating an unusual developer-sourced supply chain for malware support files.
Beyond its initial infiltration tactics, PureHVNC demonstrates advanced capabilities for persistence and privilege escalation.
Upon execution, the RAT registers itself via scheduled tasks named to mimic legitimate Google Updater services, ensuring resilience across reboots.
.webp "PureHVNC RAT Developers Leverage GitHub Host Source Code 3")
If running without administrative privileges, it prompts a UAC elevation loop using PowerShell:-
while ($true) {
Start-Process -FilePath cmd[.]exe -Verb runas -ArgumentList 'regsvr32[.]exe MALWARE[.]dll --typerenderer'
exit
}Once elevated, the loader establishes a mutex (MistyRoseNavy) to prevent duplicate execution and creates a scheduled task with a one-minute repetition interval.
.webp "PureHVNC RAT Developers Leverage GitHub Host Source Code 4")
This approach, combined with AMSI bypass via an LdrLoadDll hook, allows PureHVNC to remain undetected by real-time defenses while maintaining control of the endpoint.
Infection Mechanism
PureHVNC’s initial loader is a .NET assembly delivered by the Rust Loader shellcode. The loader decrypts its payload using ChaCha20-Poly1305, validates payload size against a 1 KB threshold, and allocates executable memory to host the decrypted .NET assembly.
The embedded assembly is then loaded and executed, initializing the RAT’s main loop. Communication is established over SSL streams, where the bot sends Gzip-compressed system information—including OS version, installed antivirus products, and metadata like campaign ID—to the C2 server.
Incoming commands are received as compressed buffers, decompressed, deserialized, and dispatched to plugin threads for execution.
By segmenting payload delivery and employing encryption and compression, PureHVNC evades static signature detection and complicates network-based discovery, underscoring its stealthy infection mechanism.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
