Ethical Hacking News
Cybersecurity experts have warned that the PureRAT malware has spiked 4x in 2025, with a significant focus on Russian firms. The malware is designed to steal sensitive information from infected systems and confidential organization data. Organizations must take immediate action to protect themselves against such attacks. Follow us for more updates and expert insights on cybersecurity threats.
The PureRAT malware has seen a significant spike in usage in 2025, targeting Russian firms. The attack chain involves multiple stages, starting with a phishing email and leading to the deployment of the PureLogs malware. PureLogs is an off-the-shelf information stealer that can harvest data from various programs and services. Organizations are advised to implement robust cybersecurity measures and be vigilant about phishing attempts to reduce the risk of falling prey to these cyberattacks.
PureRAT Malware Spikes 4x in 2025, Deploying PureLogs to Target Russian Firms
In a recent report released by Kaspersky, it has been revealed that the PureRAT malware has experienced a significant spike in its usage in 2025, specifically targeting Russian firms. According to the cybersecurity vendor, the number of attacks peaked in the first third of 2025, quadrupling compared to the same period in 2024.
The attack chain initiated by the phishing email is quite complex and involves multiple stages. The email contains a RAR file attachment or a link to an archive that masquerades as a Microsoft Word or PDF document. Upon opening the archive, the executable copies itself to the "%AppData%" location of the compromised Windows machine under the name "task.exe" and creates a Visual Basic Script called "Task.vbs" in the Startup VBS folder.
The next stage involves unpacking another executable "ckcfb.exe", running the system utility "InstallUtil.exe," and injecting into it the decrypted module. The "Ckcfb.exe," for its part, extracts and decrypts a DLL file "Spydgozoi.dll" that incorporates the main payload of the PureRAT malware.
The PureRAT malware establishes SSL connections with a command-and-control (C2) server and transmits system information, including details about the antivirus products installed, the computer name, and the time elapsed since the system startup. In response, the C2 server sends auxiliary modules to perform various malicious actions such as self-deletion, restarting the executable file, shutting down or rebooting the computer, executing commands for unauthorized fund transfers, checking the name of the active window for keywords like password, bank, WhatsApp, and performing appropriate follow-up actions, functions as a clipper malware by substituting cryptocurrency wallet addresses copied to the system's clipboard with an attacker-controlled one.
The Trojan includes modules for downloading and running arbitrary files that provide full access to the file system, registry, processes, camera and microphone, implement keylogger functionality, and give attackers the ability to secretly control the computer using the remote desktop principle.
Furthermore, the original executable that launches "ckcfb.exe" simultaneously also extracts a second binary referred to as "StilKrip.exe," which is a commercially available downloader dubbed PureCrypter that has been used to deliver various payloads in the past. It's active since 2022.
The latest malware variant launched by StilKrip.exe, referred to as "Ttcxxewxtly.exe" or "PureLogs" ("Bftvbho.dll"), is an off-the-shelf information stealer that can harvest data from web browsers, email clients, VPN services, messaging apps, wallet browser extensions, password managers, cryptocurrency wallet apps, and other programs like FileZilla and WinSCP.
According to Kaspersky, "The PureRAT backdoor and PureLogs stealer have broad functionality that allows attackers to gain unlimited access to infected systems and confidential organization data." The main vector of attacks on businesses has been and remains emails with malicious attachments or links.
It is worth noting that the attack sequence follows a specific pattern, starting with an email containing a RAR file attachment or a link to an archive. This email then leads to the launch of "ckcfb.exe" and subsequently StilKrip.exe which delivers PureCrypter and eventually PureLogs malware. These attacks indicate a sophisticated level of planning and execution by attackers.
In conclusion, it is imperative that organizations take immediate action to protect themselves against such attacks. Implementing robust cybersecurity measures and being vigilant about phishing attempts can significantly reduce the risk of falling prey to these types of cyberattacks.
Related Information:
https://www.ethicalhackingnews.com/articles/PureRAT-Malware-Spikes-4x-in-2025-Deploying-PureLogs-to-Target-Russian-Firms-ehn.shtml
https://thehackernews.com/2025/05/purerat-malware-spikes-4x-in-2025.html
https://cloudindustryreview.com/surge-in-purerat-malware-400-increase-in-2025-targeting-russian-companies-with-purelogs/
Published: Wed May 21 10:16:20 2025 by llama3.2 3B Q4_K_M
