Publication of Pure RAT source code

For informational purposes only

PureRAT is a remote access tool written in .NET, used for system control, data theft, and command execution. In 2025, activity linked to PureRAT surged fourfold, with Russian companies hit particularly hard.

Key RAT capabilities include: • full system control and command execution; • data theft (often bundled with the PureLogs module for collecting cookies and browser passwords); • analysis evasion (the file is protected with the .NET Reactor obfuscator).

The tool has been observed in several phishing campaigns. In the latest wave, compromised email accounts sent messages containing fake links that redirected users to a ClickFix page with a bogus reCAPTCHA, allegedly to verify a secure connection.

When users follow the URL, they are sent to a web page containing JavaScript code with an asynchronous function that, after a short delay, checks whether the page is displayed inside an iframe. The goal is to redirect the user to the same URL but over HTTP.

As a result, the victim copies and runs a malicious PowerShell command that gathers system information and downloads a ZIP archive containing a binary. That binary establishes persistence on the system and delivers PureRAT via DLL side loading.

More about PureRAT: • PureRAT Malware Spikes 4x in 2025, Deploying PureLogs to Target Russian Firms • Phishing Campaign Evolves into PureRAT Deployment - Infosecurity Magazine • Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware

💬 Discuss