A sophisticated malware campaign targeting Russian businesses has intensified significantly in 2025, with attackers leveraging weaponized RAR archives to deliver the dangerous PureRAT backdoor and PureLogs stealer.
These attacks, which began in March 2023, have seen a fourfold increase in the first four months of 2025 compared to the same period last year, indicating a concerning escalation in the threat landscape.
The attack vector relies primarily on spam emails containing malicious attachments in the form of RAR archives, or links to download such archives.
.png
)
These files employ deceptive naming conventions focused on accounting terminology, including keywords like “doc,” “akt,” “sverka,” “buh,” and “oplata,” often utilizing the double extension technique (.pdf.rar) to trick unsuspecting users into executing malicious code.
This social engineering approach specifically targets financial departments within organizations, where employees regularly handle documents with similar names.
Securelist researchers identified that upon execution, the malware employs a multi-stage infection process designed to evade detection while establishing persistence.
The initial RAR archive contains an executable disguised as a PDF document that, when launched, initiates a complex chain of events leading to the deployment of both PureRAT backdoor and PureLogs stealer components, giving attackers comprehensive control over infected systems.
.webp)
The PureRAT malware operates on a Malware-as-a-Service model, making it accessible to various threat actors who can purchase and deploy it according to their objectives.
This accessibility partially explains the dramatic increase in attacks, as more cybercriminals gain access to sophisticated attack tools without needing advanced technical skills.
Infection Mechanism
The infection begins when a user opens the disguised executable from the RAR archive.
.webp)
The file immediately copies itself to %AppData% under the name Task.exe and creates an autorun VBS script (Task.vbs) in the Startup folder with a simple but effective command:-
CreateObject("WScript.Shell").Run """C:\Users\\AppData\Roaming\Task.exe"""The malware then extracts StilKrip.exe from its embedded resources and launches it while simultaneously extracting and decrypting Ckcfb.exe.
This module is injected into the legitimate Windows InstallUtil.exe process to avoid detection. Ckcfb.exe proceeds to extract and decrypt the Spydgozoi.dll library containing the main PureRAT backdoor functionality.
Communication with command and control servers is established through SSL connections, with messages transmitted in protobuf format and compressed using gzip.
These messages contain comprehensive system information, including the infected device identifier, installed antivirus product, OS version, user and computer name, and other environmental details as shown in this intercepted communication.
The malware’s sophisticated multi-layered approach allows it to maintain persistence while downloading additional modules based on the attacker’s objectives.
This modular architecture makes PureRAT particularly dangerous, as it can adapt its capabilities to the specific target environment and security posture.
The attackers behind this campaign continue to refine their techniques, making this an ongoing threat to organizations that must maintain vigilant email security practices and user awareness training to prevent initial infection.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
