PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
This research uncovers a social engineering campaign deploying PureRAT through trojanized job application documents. The attackers rename legitimate Foxit PDF Reader binaries to load malicious DLLs, establishing persistent access through the PureRAT backdoor. The infection chain uses Python-based shellcode loaders to evade static analysis, with multi-stage payloads that check for analysis environments before proceeding. The campaign specifically targets job seekers, leveraging urgency and trust in PDF documents to achieve initial compromise. Includes detailed loader analysis, C2 protocol breakdown, and YARA rules for detection.
Related Research
AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
Uncovered AI-generated fake GitHub repositories distributing SmartLoader and LummaStealer through convincing but malicious code projects.
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
Identified an active campaign spreading self-propagating malware via WhatsApp ZIP attachments, targeting Brazilian users with persistence and account hijacking.
Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads
Investigated a supply chain attack in which an attacker hijacked the lead Axios npm maintainer's account and published two malicious versions containing a phantom dependency that deployed a cross-platform RAT on macOS, Windows, and Linux while erasing forensic evidence by replacing itself with clean decoy files.
New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises
Discovered Charon ransomware using APT-grade techniques — DLL sideloading via Edge.exe, hybrid Curve25519/ChaCha20 encryption.