Executive Summary
In October 2025, Huntress Labs analyzed a sophisticated attack campaign leveraging the PureRAT remote access trojan. The intrusion began with a targeted phishing email containing a ZIP archive that employed DLL sideloading to launch a cascade of in-memory loaders written in Python. Progressing through multi-layered obfuscation, hybrid encryption, and system persistence via Windows registry modifications, the attackers ultimately deployed PureRAT, granting full remote control over victim endpoints. Notably, the operation combined custom-developed loaders with commercial malware, demonstrating advanced evasion and command and control techniques, including encrypted communications and dynamic payload delivery.
This incident highlights the growing complexity and modularity of post-phishing attack chains. Organizations must remain vigilant as threat actors increasingly blend bespoke scripts with off-the-shelf RATs, drastically lowering the barrier for stealthy, persistent intrusions targeting credential theft and long-term access.
Why This Matters Now
The PureRAT campaign exemplifies a rise in multi-stage, stealthy attacks that exploit Python-based loaders and fileless techniques to evade detection. With the convergence of custom and commercial malware, security teams face heightened urgency to deploy advanced threat detection, granular segmentation, and zero trust controls to counter evolving, persistent threats.
Attack Path Analysis
The attack began with a targeted phishing email leveraging DLL sideloading to deploy a chain of in-memory loaders via obfuscated payloads, ultimately leading to the execution of a Python-based infostealer and later PureRAT. The malware established persistent access by setting registry run keys. Lateral movement within the environment is possible using encrypted channels and loader updates. The final remote access trojan establishes an encrypted command-and-control channel and enables exfiltration of sensitive data through covert channels. The attack culminates with full remote access, allowing the adversary to manipulate or disrupt business operations.
Kill Chain Progression
Initial Compromise
Description
A phishing email with a malicious ZIP archive uses DLL sideloading to execute a chained payload, exploiting the trusted application vector for initial code execution.
Related CVEs
CVE-2025-54309
CVSS 9.8An unprotected alternate channel vulnerability in CrushFTP allows remote attackers to bypass authentication and gain unauthorized access.
Affected Products:
CrushFTP CrushFTP – < 10.5.0
Exploit Status:
exploited in the wildCVE-2025-6558
CVSS 8.8Improper input validation in Google Chromium's ANGLE and GPU components allows remote attackers to execute arbitrary code via crafted HTML pages.
Affected Products:
Google Chromium – < 92.0.4515.159
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Hijack Execution Flow: DLL Side-Loading
Command and Scripting Interpreter: Python
Signed Binary Proxy Execution: Rundll32
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
Obfuscated Files or Information
Ingress Tool Transfer
Proxy: External Proxy
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention Mechanisms
Control ID: 5.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Verify Identity and Access Control
Control ID: Identity Pillar: Authenticate and Authorize
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
PureRAT's credential theft capabilities and encrypted C2 channels pose severe risks to financial data, requiring enhanced east-west traffic security and zero trust segmentation.
Health Care / Life Sciences
Remote access trojans targeting healthcare violate HIPAA compliance requirements, necessitating threat detection systems and secure hybrid connectivity for patient data protection.
Information Technology/IT
Multi-stage RAT deployment through DLL sideloading affects IT infrastructure management, demanding multicloud visibility controls and inline IPS protection for client environments.
Government Administration
Sophisticated phishing campaigns delivering commercial RATs threaten government operations, requiring cloud native security fabric and egress policy enforcement against data exfiltration.
Sources
- From infostealer to full RAT: dissecting the PureRAT attack chainhttps://www.bleepingcomputer.com/news/security/from-infostealer-to-full-rat-dissecting-the-purerat-attack-chain/Verified
- Hackers Hijack US Accounting Firm Using “Ghost Crypt” to Deploy PureRAT Malwarehttps://undercodenews.com/hackers-hijack-us-accounting-firm-using-ghost-crypt-to-deploy-purerat-malware/Verified
- Cybercriminals Use Zoho WorkDrive Folders To Spread Obfuscated PureRAT Malwarehttps://cybernoz.com/cybercriminals-use-zoho-workdrive-folders-to-spread-obfuscated-purerat-malware/Verified
- CISA Adds Four Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2025/07/22/cisa-adds-four-known-exploited-vulnerabilities-catalogVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, inline threat detection, and robust egress controls would have collectively reduced the PureRAT kill chain’s effectiveness by limiting access paths, detecting unauthorized execution, and blocking encrypted C2 and exfiltration channels.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection and alerting of anomalous executable and DLL behaviors.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Distributed enforcement flags persistence techniques and prevents unauthorized privilege elevation.
Control: Zero Trust Segmentation
Mitigation: Lateral movement is contained by granular identity-based microsegmentation.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 channels are blocked or inspected, disrupting adversary control.
Control: Encrypted Traffic (HPE) & Egress Security & Policy Enforcement
Mitigation: Encrypted exfiltration attempts are detected and prevented through inspection and policy.
Active threats are identified and responses automated to halt ongoing malicious activity.
Impact at a Glance
Affected Business Functions
- Accounting
- Client Management
- Financial Reporting
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive client financial data, including tax records and personal identification information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and contain any endpoint compromise.
- • Enforce strong egress security policies and block unauthorized outbound C2 and data exfiltration channels.
- • Deploy inline threat detection and anomaly response to rapidly surface and respond to suspicious process, registry, and loader activity.
- • Enhance east-west traffic inspection and microsegmentation across hybrid and multi-cloud environments to detect and halt propagation of malware loaders and RATs.
- • Ensure continuous visibility with centralized policy controls and real-time logging for rapid incident detection and response.
