Netskope Threat Labs has uncovered a stealthy malware campaign delivering the PureHVNC Remote Access Trojan (RAT), using a multi-layer infection chain designed to evade modern security tools.
Active throughout 2024, the campaign targets job seekers in the beauty and fashion industries by impersonating global brands like Bershka, Fragrance Du Bois, John Hardy, and Dear Klairs. Victims are lured with fake job offers for high-profile marketing roles.
Social Engineering Meets Technical Evasion
The attack starts with a malicious LNK file disguised as a PDF—often named with a double extension like “.pdf.lnk”—to trick users into opening it. Once launched, the infection chain gives attackers full system access, allowing them to drop additional malware and tools undetected.
This blend of social engineering and technical evasion highlights the growing sophistication of modern malware threats and the need for advanced detection beyond traditional defenses.
When opened, the LNK file runs a PowerShell command that decodes a base64 script, kicking off a multi-stage process using PowerShell, JavaScript, AutoIt, and obfuscated payloads.
The chain downloads a fake MP4 file containing hidden JavaScript in HTML tags, which decodes more scripts to deliver and execute a PE file named “phom.exe.”
Technical Evasion Tactics Behind the PureHVNC RAT
To keep the attack believable, a fake PDF job offer is shown to the user while malicious activity runs in the background. An AutoIt-compiled binary quietly executes scripts, sets up persistence by placing an internet shortcut in the Windows Startup folder, and uses process hollowing to inject a .NET payload into trusted processes like jsc.exe or AppLaunch.exe.
This payload—encrypted with AES-256 and protected with .NET Reactor—ultimately loads the PureHVNC RAT. Its configuration files reveal multiple campaign IDs and connections to command-and-control (C2) servers like 85.192.48.3 and 139.99.188.124.
The campaign is heavily obfuscated at every stage. It uses tools like CypherIT to hide AutoIt scripts and embeds junk data to evade detection. Anti-analysis checks are also built in, stopping execution if tools like AvastUI.exe or known antivirus emulator names are detected.
Persistence is reinforced by dropping files into a folder named “WordGenius Technologies” under %LocalAppData%, using random file names to stay under the radar.
The attack shows high technical skill—from string replacements in scripts to using built-in Windows tools like mshta.exe to run remote files—making it hard to detect with standard defenses.
While the initial infection method isn’t confirmed, evidence points to email delivery, especially through job offers and fake copyright warnings.
As PureHVNC evolves, including new delivery methods using Python scripts and AI-generated phishing sites seen in 2024, defending against these threats will require modern detection tools and constant vigilance. This campaign poses a serious risk by giving attackers full remote access for further exploitation.
IOCs
- Distribution addresses
45.151.62.2
semrush-alternative.com
sadgfua54a.xyz
- C2 addresses
139.99.188.124
85.192.48.3
- LNK files (MD5)
f26493ea92987113679edbcaec7234ff
b758944bbda18e8802e9d80a2cf1cf75
9060fd189774be18610dc2ff4be0745e
c656c140ab0f2b6596bf6805e15df13b
7ad407e2d94adc16470f418bf0fc708f
e1ca0780e64a73659405a87e95e0b2e7
bfb2fdddd4326cf708ba847decb0fe87
1469217ca9103001ddf88fac5d8f8bcc
72c8cbb9f13846df470766f19668363c
- Fake MP4 files (MD5)
f39b82129259ef4a3fcd1a50e995957d
5d51e0196f459617b142670958d8b54a
b58b0bd6cbdc14fe0f07a4453ed77e76
d086283e23d91ecc1a7a8f5bc6c658c5
- Compiled AutoIt files (MD5)
7cf7b05416a7cc98a2abb61f6ac97650
351d6757503b98fc56b0d3415f674b75
f3166a49810a3cbf658c794793c5ba8d
a46469cf5fb8c5682bed2322bb6b5029
8c6350413ea2a890f04d4b3e8e3ecb6f
d131cf27b565c942cc5d0064e8ac9a3a
0814745e941281e3eae66425f58cbe7e
- Obfuscated AutoIt script files (MD5)
00e01b6a41b5527785eed1cf01351b1
4e366dbfaa07314e38ee148cb5b19cde
91ceeaf5e81a83041009c9770da29ef4
d395d4455200ec7814dd306f2ce4144c
12b8e858fdaf1469e0d7a0fb0a5f8475
460160210500b3180d0d4da2e73bf651
e7e605f842b04f5981dbcdea92f09e39
![Nifty[.]com Infrastructure Exploited in Phishing Attack](https://firsthackersnews.com/wp-content/uploads/2023/10/Phishing-Attacks_-Recognize-and-Avoid-Email-Phishing-1-500x383.jpg)
Leave A Comment