Developers of the PureHVNC RAT (Remote Access Trojan) exploit GitHub to publicly share their malicious source code.

Developers of the PureHVNC RAT (Remote Access Trojan) exploit GitHub to publicly share their malicious source code.

In the ever-evolving landscape of cyber threats, a new player has emerged, gaining prominence in mid-2025: the PureHVNC Remote Administration Tool (RAT). This sophisticated component of the Pure malware family has been making waves due to its stealthy capabilities and versatility.

The author of PureHVNC, known as PureCoder, has been developing the Pure malware family, which includes PureHVNC. The tool has been marketed using phishing campaigns with ClickFix social engineering lures, and related source code and components were hosted and spread via GitHub repositories. However, specific Telegram channels or underground forums for its marketing are not explicitly named in the available sources.

PureHVNC originated from underground forums and Telegram channels. Upon infiltration, the initial loader, a .NET assembly, is delivered by the Rust Loader shellcode. This loader validates the payload size against a 1 KB threshold and establishes a mutex to prevent duplicate execution. It also creates a scheduled task with a one-minute repetition interval.

The embedded assembly is then loaded and executed, initialising the RAT's main loop. Communication is established over SSL streams between the bot and the Command and Control (C2) server. The bot sends Gzip-compressed system information, including OS version, installed malware protection products, and metadata like campaign ID, to the C2 server.

Incoming commands are received as compressed buffers, decompressed, deserialized, and dispatched to plugin threads for execution. This modular design allows PureHVNC to adapt to various tasks, reflecting a growing demand for such malware suites capable of stealthy full system control and data exfiltration.

In one notable incident, attackers deployed a Rust Loader, followed by PureHVNC RAT and the Sliver command-and-control framework over an eight-day window. This incident underscores the potential damage that PureHVNC can inflict.

To evade static signature detection and complicate network-based discovery, PureHVNC employs encryption and compression. Its loader decrypts its payload using ChaCha20-Poly1305, further enhancing its stealth.

Initial deployments of PureHVNC have leveraged the ClickFix phishing technique. These deployments have been found to communicate with their control server to retrieve three GitHub URLs hosting supporting modules. The GitHub repositories contained browser driver executables and plugin files essential for TwitchBot and YouTubeBot functionalities.

Once elevated, the loader remains undetected by real-time malwarebytes while maintaining control of the endpoint. Beyond its initial infiltration tactics, PureHVNC demonstrates advanced capabilities for persistence and privilege escalation.

PureHVNC is marketed by its author alongside companion tools such as PureCrypter, PureLogs, and PureMiner. As the cyber threat landscape continues to evolve, it is crucial for organisations to stay vigilant and equipped with the necessary defences against such sophisticated threats.

Read also:

• Industries Under Jeopardy Due to Multi-Accounting: Prevention Strategies Revealed in 2024
• Web3 Esports undergoes transformation as Aylab and CreataChain collaborate for a radical change
• Latest Tech Highlights: Top Gadgets of March 2025
• Developments in Technology Shaping Risk and Regulatory Compliance in 2014