Under the Pure Curtain: From RAT to Builder to Coder

Sept. 17, 2025, 11:56 a.m.

Description

Check Point Research conducted a forensic analysis of a ClickFix campaign that deployed multiple tools, including a Rust Loader, PureHVNC RAT, and the Sliver command-and-control framework. The analysis provided comprehensive insights into PureHVNC RAT, including its commands and plugins. The investigation revealed connections to GitHub accounts linked to the developer of Pure malware families, PureCoder. Analysis of these accounts indicated a timezone of operation (UTC+0300) and potential countries of residence. The research also uncovered a PureRAT builder, offering insights into the RAT's capabilities and features related to PureCrypter, another tool by PureCoder. This investigation enhances understanding of the Pure malware ecosystem and provides actionable intelligence for cybersecurity professionals.

External References

https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder
https://otx.alienvault.com/pulse/68c9d89fdb056290ee763876
Tags
rat
cybercrime
purecrypter
github
purelogs
clickfix
purehvnc
purerat
2025-09-16
rust loader
pureminer
purehvnc rat
blue loader

Date

  • Created: Sept. 16, 2025, 9:37 p.m.
  • Published: Sept. 16, 2025, 9:37 p.m.
  • Modified: Sept. 17, 2025, 11:56 a.m.

Attack Patterns

  • Blue Loader
  • PureMiner
  • PureHVNC RAT
  • PureRAT
  • PureLogs
  • PureCrypter
  • PureCoder

Additional Informations

  • Russian Federation