PureRAT: A Multi-Stage, Fileless RAT Utilizing Image Steganography and Process Hollowing

    Tuesday, April 21, 2026 In: Threat Research Print

    Date: 04/21/2026

    Severity: High

    Summary

    PureRAT is a sophisticated remote access trojan that uses a multi-stage, fileless infection chain initiated by a malicious LNK file and PowerShell commands. It employs steganography to hide payloads within PNG images, along with techniques like UAC bypass, process hollowing, and anti-VM checks to evade detection. Once deployed, it establishes persistence and communicates with a C2 server, enabling modular capabilities such as system reconnaissance, keylogging, and remote control.

    Indicators of Compromise (IOC) List

    Domains/Urls

    https://crixup.com

    http://instantservices1.ddnsguru.com

    IP Address

    178.16.52.58

    Hash

    7d22c61e8aafc9a2a812cafe7720922ab12d770e5af7d92527d9b0dbd6e10f30

    96b4713c6b9e5283f9d2f570a51edce66fc44ced2ae130b65dbe1326690a27eb

    40bd37eba7f9a56516c96092d5c6d50937fc4df00baf79155ada9d1673389830

    121ae6c664aaef9ed2e44ed04c66e1cabcb00295c48289afd9e23126fc6edadf

    96d4e77c0d433b14c2030be194ad12e159b5292f33da3a7d4d2749475845c253

    bb1075ca2ff0a9b5e407fb396f8f87705d8f512b42b3f4326586ef17fed8aabb

    e0c0418d8bad7b4731b7de35059c6a51c49825e6ec841193cd8842220957cff9

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://crixup.com" or url like "https://crixup.com" or siteurl like "https://crixup.com" or domainname like "http://instantservices1.ddnsguru.com" or url like "http://instantservices1.ddnsguru.com" or siteurl like "http://instantservices1.ddnsguru.com"

    Detection Query 2 :

    dstipaddress IN ("178.16.52.58") or srcipaddress IN ("178.16.52.58")

    Detection Query 3 :

    sha256hash IN ("7d22c61e8aafc9a2a812cafe7720922ab12d770e5af7d92527d9b0dbd6e10f30","121ae6c664aaef9ed2e44ed04c66e1cabcb00295c48289afd9e23126fc6edadf","40bd37eba7f9a56516c96092d5c6d50937fc4df00baf79155ada9d1673389830","bb1075ca2ff0a9b5e407fb396f8f87705d8f512b42b3f4326586ef17fed8aabb","96b4713c6b9e5283f9d2f570a51edce66fc44ced2ae130b65dbe1326690a27eb","e0c0418d8bad7b4731b7de35059c6a51c49825e6ec841193cd8842220957cff9","96d4e77c0d433b14c2030be194ad12e159b5292f33da3a7d4d2749475845c253")

    Reference:    

    https://www.trellix.com/blogs/research/purerat-fileless-utilizing-steganography-process-hollowing/        


    Tags

    MalwareRATTrojanLNKSteganographyKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.