Significant Surge in PureRAT Malware Incidents: Fourfold Increase in 2025, Utilizing PureLogs to Target Russian Enterprises

Russian organizations are currently facing a sophisticated phishing campaign aimed at distributing malware known as PureRAT, as reported by Kaspersky. This campaign, which commenced in March 2023, has escalated significantly, with the number of attacks quadrupling in the early months of 2025 compared to the same period in 2024.

The attack begins with a phishing email that either includes a RAR file attachment or a link to an archive disguised as a Microsoft Word or PDF document, often utilizing double file extensions (e.g., “doc054[redacted].pdf.rar”). Inside the archive, an executable file is present. Once executed, it self-replicates to the “%AppData%” directory on the compromised Windows machine under the name “task.exe” and also creates a Visual Basic Script called “Task.vbs” within the Startup VBS folder.

The “task.exe” file subsequently unpacks another executable named “ckcfb.exe.” It executes the system utility “InstallUtil.exe” to inject a decrypted module. The “ckcfb.exe” file is responsible for extracting and decrypting a DLL file titled “Spydgozoi.dll,” which contains the core payload of the PureRAT malware.

Upon installation, PureRAT establishes SSL connections with a command-and-control (C2) server and transmits critical system information, including details about installed antivirus software, the computer’s name, and the system’s uptime. The C2 server, in turn, dispatches auxiliary modules capable of executing a range of malicious activities:

– PluginPcOption: This module can execute commands for self-deletion, restart the executable file, and perform shutdown or reboot operations.
– PluginWindowNotify: It monitors the active window names for specific keywords, such as “password” or “bank,” and can conduct unauthorized fund transfers based on its findings.
– PluginClipper: This component acts as clipper malware, replacing cryptocurrency wallet addresses in the clipboard with those controlled by the attacker.

Kaspersky emphasizes that the Trojan incorporates modules designed to download and execute arbitrary files, granting attackers extensive control over the infected system, including access to the file system, registry, processes, camera, microphone, and keylogging capabilities. This essentially provides attackers with remote desktop-like control.

The initial executable that triggers the “ckcfb.exe” also extracts a secondary binary known as “StilKrip.exe.” This binary is a commercially available downloader, recognized as PureCrypter, which has been operational since 2022 and has previously been utilized for delivering diverse malicious payloads.

“StilKrip.exe” further downloads a file called “Bghwwhmlr.wav.” This file follows the established attack routine, running “InstallUtil.exe,” which subsequently activates another executable named “Ttcxxewxtly.exe.” This executable unpacks and executes a DLL payload named PureLogs, identified as an off-the-shelf information stealer capable of extracting data from web browsers, email clients, VPN services, messaging applications, wallet browser extensions, password managers, as well as applications like FileZilla and WinSCP.

The combined capabilities of PureRAT and PureLogs afford attackers comprehensive access to compromised systems and confidential organizational data. Kaspersky underscores that the primary means of attack targeting businesses continues to be emails carrying malicious attachments or links.