PureHVNC
PureHVNC is a modular .NET remote access trojan (RAT) from the “Pure” malware family, commonly described as a hidden VNC/remote desktop malware. Across the provided reporting, it is repeatedly observed in malspam and phishing campaigns, often alongside other commodity RATs and stealers such as AgentTesla, FormBook, Remcos, AsyncRAT, DcRAT, XWorm, VenomRAT, Violet, PureLogs, PureCrypter, zgRAT, and Brute Ratel C4 wrappers. It has been associated with financially motivated cybercrime activity including the SERPENTINE#CLOUD campaign and other ClickFix/ClearFake-style delivery chains.
Documented capabilities include hidden or real-time remote desktop control, screen capture/control, command execution, persistent access, browser credential and data theft, theft from email clients, cryptocurrency wallet theft, collection of hardware and software information, and plugin-based extensibility. Reporting also states it can steal data from Telegram and Foxmail. In one campaign, the inner payload was described as zgRAT with PureHVNC functionality providing full remote desktop control, credential theft from browsers and email clients, and persistence.
Observed infection vectors include malspam campaigns targeting Italy with business-themed lures such as orders, requests, invoices, quotations, payments, bank transfers, documents, offers, notices, shipments, declarations, purchases, reservations, account statements, and miscellaneous business topics. Additional delivery methods include fake Booking.com verification/CAPTCHA pages targeting hospitality staff, Google Forms impersonating job interviews, project briefs, and financial documents, LinkedIn-distributed lures, and ClickFix-style social engineering that tricks users into executing PowerShell. Victims were also directed to malicious ZIP archives hosted on Dropbox, filedn.com, fshare.vn, WebDAV servers, and Cloudflare Tunnel infrastructure.
Execution and evasion behavior described in the content includes staged PowerShell loaders, DLL side-loading/hijacking, use of legitimate binaries such as psl.exe, trojanized libpsl-5.dll and msimg32.dll, hidden AppData or ProgramData extraction paths, persistence via Run keys, Startup-folder scripts, scheduled tasks, and in-memory process injection. Multiple reports describe Donut shellcode as the bridge into .NET payload execution, with AMSI/WLDP bypasses and injection into legitimate processes including explorer.exe, SearchUI.exe, and notepad.exe. Python-based loaders using AES-CBC, XOR, RC4, and Kramer-style obfuscation were repeatedly used in SERPENTINE#CLOUD-related activity. Anti-analysis behavior mentioned includes IsDebuggerPresent(), time64()-based checks, sandbox/debugger detection messages, self-deletion, abuse of trusted Windows utilities, and anti-idle scripts to keep remote sessions alive for PureHVNC.
Associated infrastructure and indicators directly mentioned in the content include C2 IP 207.148.66.14 on ports 56001, 56002, and 56003; C2 correlation to 12.202.180.133 on port 6757; and DuckDNS-based PureHVNC infrastructure including bsmaopm.duckdns.org:6757. One campaign IOC set included URLs https://58gold.com/h0v6wg63gK4DY2Sbkpy7eOnbTqgRSpzYDTgpjubd3qg7 and https://clubcampestrededurango.com/clubcampestrededurango.zip, IP 94.26.90.216, and SHA-256 hashes ca1dbbbd75b898b5df5ff2a63b592ecdcd2777b0d370eb3848d9604e02627e64, 526cd0ca695d223e6c244c7a557f9d115fe2f68fbe2684fe403a04de908c70d3, and 354daf11614e9c0097798f213e0867aa68c8d736b26e54ef67c0ba9c3da415a1. Additional host artifacts mentioned include the mutex Rluukgz. The content also notes delivery through a Ygfumkl packer and reflective loading of Lhjknyy.dll in one campaign.
Victimology in the provided material includes Italian organizations targeted via malspam, hospitality-sector victims including Italian-speaking Booking.com users and hotel staff, professionals in finance, logistics, technology, sustainability, and energy, German-speaking businesses, UK organizations, and SMB/accounting-related targets. Overall, the reporting consistently characterizes PureHVNC as a commodity but actively used remote access malware favored in financially motivated phishing and multi-stage loader campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
8 techniques
Execution
Organizations should prioritize behavioral detection strategies focused on suspicious PowerShell execution...
The batch stagers are the initial execution layer. 29 .bat files recovered across six evidence directories deduplicate to 13 unique templates in four categories.
Each stager also downloads Shoopify.bat , PWS.vbs , and pws1.vbs into the Startup folder... Anti-idle scripts Deployed by all download stagers to the Startup folder
The ZIP contains a Python runtime and one or more loader scripts. Each loader decrypts embedded shellcode, and that shellcode bootstraps the .NET Common Language Runtime (CLR) to load the actual payload.
allocate RWX memory, write shellcode via WriteProcessMemory ... ctypes.windll.kernel32.VirtualProtect(... 0x40, # PAGE_EXECUTE_READWRITE ... )
Below we see the subjects used in the various campaigns divided by day and type of malware.
Privilege Escalation
3 techniques
Privilege Escalation
By combining user-assisted PowerShell execution, staged payload delivery, DLL side-loading, persistence mechanisms, and in-memory process injection...
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
Stealth
11 techniques
Stealth
Wave 4/5 introduces the deepest nesting observed in the campaign. The Nov19 Donut instances deliver native x64 PE wrappers instead of .NET assemblies directly... Layer 2: Kramer decode (hex -> unicode shift -> rotation -> RC4 -> base64)
MITRE ATT&CK Mapping Technique ID Implementation ... Obfuscated Files: Software Packing T1027.002 Donut shellcode packer
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Match Legitimate Name T1036.005 msedge_elf.dll, libpsl-5.dll
By combining user-assisted PowerShell execution, staged payload delivery, DLL side-loading, persistence mechanisms, and in-memory process injection...
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
MITRE ATT&CK Mapping Technique ID Implementation ... Process Injection: Process Hollowing T1055.012 PureHVNC via VirtualAlloc / WriteProcessMemory
The campaign also highlights increasing abuse of legitimate Windows utilities and trusted binaries to evade conventional security controls.
If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip (full WBKS + BKSNO deployment).
Checks for AvastUI.exe and AVGUI.exe via tasklist. If detected, downloads abb11.zip (OBKS-only, Avast-safe profile). If not, downloads quz11.zip
Discovery
2 techniques
Discovery
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
IOCs tracked for this family
147 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Password stealer distributed via malspam campaigns targeting Italy during the week of 2026-06-15 to 2026-06-21.
A malware family distributed via malspam campaigns targeting Italy, observed in email themes such as orders and requests; the report groups it among the password stealer families active that week.
A remote access trojan delivered via a ClickFix-style, multi-stage infection chain using user-assisted PowerShell execution, staged payload delivery, DLL side-loading, persistence mechanisms, and in-memory process injection to achieve stealthy access and evade detection.
A password stealer family observed in malspam campaigns targeting Italy during the week of 2026-06-01 to 2026-06-07.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.