A recent report from cybersecurity firm Kaspersky has revealed that Russian businesses are being increasingly targeted by a phishing campaign spreading a remote access trojan known as PureRAT. According to Kaspersky, the malicious campaign initially suffered in March 2023.
However, the volume of attacks has risen dramatically in early 2025, with incidents reported to be four times higher than during the same period in 2024. The phishing scheme typically begins with an email that includes a RAR archive as an attachment or a link. These archive files are cleverly disguised as legitimate Microsoft Word or PDF documents by using misleading double file extensions-such as “doc_054_[redacted].pdf.rar”-to trick recipients. When the archive is opened, it hides an executable file inside. If someone runs it, the file installs itself in the windows %AppData% directory and creates a shortcut named Task.vbs in the startup folder. This makes sure the malware runs automatically every time the computer is restarted.
After initial execution, the malware drops an additional file named “ckcfb.exe”, which plays a crucial role in the next stage of infection. It then runs the system tool “InstallUtil.exe” and injects a decrypted module into it to advance the attack.
The dropped executable, ckcfb.exe, proceeds to extract and decrypt a dynamic link library (DLL) file named “spydgozoi.dll”, which contains the core payload of the RAT malware. Once it’s active, PureRAT connects to a remote server through a secure (SSL) connection.
It sends the server details about the infected computer, such as the computer’s name, how long it has been on, and what antivirus software is installed. The remote server then sends back extra tools called plugins to help the malware do more damage. These include:
- PluginPcOption: lets the malware delete itself, restart, or even shut down or reset the whole computer.
- PluginWindowsNotify: watches what windows or apps are open. If it sees words like “password”, “bank”, or “WhatsApp”, it may take further harmful actions, like stealing login details or trying to move money.
- PluginClipper: looks at anything copied to the clipboard, like a cryptocurrency wallet address, and swaps it with the attacker’s address.
This means if someone tries to send crypto, it could end up going to the hacker instead. This shows how dangerous and advanced PureRAT is-it can spy on systems, steal information, and even take control of infected devices. PureRAT includes several features that give hackers a lot of power over any computer it infects. Once it’s in, they can run and download files, mess with system settings and the registry, check which programs are open, and even turn on the webcam or microphone without anyone knowing.
It can also track everything typed on the keyboard and lets attackers take control of the machine as if they were sitting right in front of it. Alongside the ckcfb.exe file, the original malware also drops another file called “StilKrip.exe”.
This file is actually PureCrypter, a tool that’s been sold and used since 2022 to help attackers deliver different types of malware. PureCrypter is known for helping spread harmful software by hiding or protecting it during delivery. StillKrip.exe is used to download another file called Bghwwhmlr.wav. This downloaded file follows a series of steps to run InstallUtil.exe, which then launches another program called Ttcxxewxtly.exe. This program unpacks and runs a harmful file named Bftvbho.dll, which is known as PureLogs.
PureLogs is a type of malware that steals information. It can collect data from web browsers, email apps, password managers, and programs like FileZilla and WinSCP. According to Kaspersky, PureRAT and PureLogs give hackers full control of infected computers and access to private company data. The main way these attacks happen is through emails with dangerous attachments or links.
