PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
This research uncovers a social engineering campaign deploying PureRAT through trojanized job application documents. The attackers rename legitimate Foxit PDF Reader binaries to load malicious DLLs, establishing persistent access through the PureRAT backdoor. The infection chain uses Python-based shellcode loaders to evade static analysis, with multi-stage payloads that check for analysis environments before proceeding. The campaign specifically targets job seekers, leveraging urgency and trust in PDF documents to achieve initial compromise. Includes detailed loader analysis, C2 protocol breakdown, and YARA rules for detection.
Related Research
AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
Uncovered AI-generated fake GitHub repositories distributing SmartLoader and LummaStealer through convincing but malicious code projects.
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
Identified an active campaign spreading self-propagating malware via WhatsApp ZIP attachments, targeting Brazilian users with persistence and account hijacking.
New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises
Discovered Charon ransomware using APT-grade techniques — DLL sideloading via Edge.exe, hybrid Curve25519/ChaCha20 encryption.
Nitrogen Ransomware: Fake Updates and Malicious Browser Extensions
Thread on the rapidly evolving Nitrogen ransomware group using social engineering via fake updates and malicious browser extensions for initial access.