In a detailed breakdown by Huntress Labs for BleepingComputer, researchers dissect the multi-stage campaign in which attackers began with a classic info-stealer and escalated into deployment of the commercial remote access trojan PureRAT. BleepingComputer
The write-up is more than just technical forensic detail — it’s a cautionary tale for business owners and IT decision-makers about how modern endpoint attacks evolve, and why purely detection-based protections are no longer enough.
The campaign opened with a familiar phishing lure—a ZIP archive masquerading as a copyright notice, containing a signed PDF-reader executable paired with a malicious version.dll. BleepingComputer+1 This leveraged DLL sideloading (the trusted exe + malicious dll in the same folder) to initiate the infection. From there:
A renamed Python interpreter and obfuscated Python script were dropped and executed entirely in memory, activating a loader that used Base64, Base85, AES, RC4 and XOR decryption steps to unwrap further payloads.
Persistence was established via a Run key in the registry disguising itself as “Windows Update Service”.
The attack shifted from Python scripts to compiled .NET binaries which used process hollowing (launching RegAsm.exe, unmapping, rewriting in memory) and bypassed telemetry and antimalware interfaces via AMSI-patching and ETW unhooking.
Finally, the PureRAT payload (DLL named Mhgljosy.dll) connected via a pinned-certificate TLS channel to a C2 server in Vietnam, began host fingerprinting (OS version, AV products, hardware IDs, webcam presence, crypto-wallet presence) and then entered a plugin-enabled loop allowing operators to load modules for webcam/mic access, keylogging, hidden desktop access, etc.
The conclusion: by the time the adversary had reached the RAT stage, they had full control, persistence and covert monitoring of the host. The defenders at Huntress isolated the host just in time — but only just.
This isn’t just a story for large enterprises or nation-state attacks. There are several takeaways that apply to every business owner and decision-maker:
Layered techniques + commercial toolkits
The attackers didn’t rely solely on amateur custom malware—they moved into a professionally-developed RAT with a GUI, modular feature-set and strong evasion techniques. This means adversaries no longer need to build everything from scratch—they buy or rent tools and combine them with custom loaders to stay one step ahead.
Detection is not enough
The campaign used in-memory loaders, obfuscation, unhooking of telemetry and encrypted C2 channels. Many traditional detection or endpoint detection & response (EDR) solutions struggle with these techniques until after damage is done. As the report states: “No single control could have stopped this entire chain.”
Time-to-contain is critical
Once the RAT is injected and onto your system, the clock starts ticking. Exfiltration, surveillance, lateral movement—all may already be underway. The goal is no longer simply “detect this malware” but rather “contain the damage early and isolate the host”.
The role of human factor remains front-and-center
It began with a phishing mail and a ZIP archive deliberately designed to trick a user. So while technology is vital, awareness and prevention of the initial vector remain important.
Traditionally many organizations have adopted a “detect and respond” model: deploy AV or EDR, monitor alerts, and respond when something is flagged. But the PureRAT campaign underscores how many attacks bypass detection and only show up when it’s too late.
What we need is a shift to isolation and containment: ensuring that if something malicious executes, it cannot do what it is designed to do (persist, move laterally, exfiltrate). Instead of waiting for an alert, the system proactively limits the damage.
That’s where endpoint solutions built around kernel-level controls, policy-based containment and zero-trust process isolation become game-changers.
For business owners looking for a proven protection layer, AppGuard stands out in several respects:
AppGuard was developed with collaboration from U.S. intelligence agencies and has a track record spanning over a decade.
Unlike traditional detection-based tools, AppGuard focuses on preventing malicious actions, not just recognizing malicious code. In other words, it doesn’t ask “Is this bad?” but “Can this process do things it should not?”
It uses kernel-level containment and is largely policy-based, with minimal need for signature updates, frequent patches or heavy human monitoring.
AppGuard’s agent is lightweight (under 1 MB footprint) and causes minimal performance impact while scaling to many endpoints.
For businesses looking to move away from the “detect and respond” mindset toward “isolate and contain”, AppGuard offers a true difference in philosophy and capability.
In short: adopting AppGuard empowers your security posture to stop threats before they escalate into full-blown RATs, persistent backdoors or long-term data exfiltration.
Revisit your endpoint protection strategy: Does it rely primarily on detection and response? If so, you may still be vulnerable.
Consider introducing containment-first tools (like AppGuard) that can block the malicious chain even if detection misses the payload.
Ensure your users are trained to recognise phishing lures, and deploy segmentation/isolation policies so that even if one host is compromised, the blast radius is limited.
Run a gap assessment: How quickly could a RAT get on one of your endpoints? How visible and isolated would that host be?
Talk to a trusted specialist to map how containment solutions integrate with your existing security stack.
The journey from an info-stealer to the deployment of a full RAT like PureRAT is a stark reminder: adversaries are advancing, detection alone is no longer sufficient, and containment must become first-class in your security strategy.
If you are a business owner or IT leader who wants to shift your organization away from chasing alerts toward proactively stopping damage—then we at CHIPS can help. Let’s talk about how AppGuard can become your endpoint shield, giving you a proven, lightweight, containment-first solution. Leave behind the legacy model of “detect and respond” and move to “isolate and contain” before an incident disrupts your operations.
Ready to talk? Reach out to CHIPS today for a no-obligation consultation and let’s make your endpoints truly resilient.
Like this article? Please share it with others!