{ "id": "3718e75b-d495-49cf-bd41-d2f5c7c33c56", "created_at": "2026-04-06T00:19:30.792669Z", "updated_at": "2026-04-10T13:12:21.7363Z", "deleted_at": null, "sha1_hash": "5e727b4d17e22102c3b642861142269f55db154c", "title": "Pupy RAT hiding under WerFault’s cover", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 359157, "plain_text": "Pupy RAT hiding under WerFault’s cover\r\nPublished: 2023-01-04 · Archived: 2026-04-05 18:15:07 UTC\r\nWe at K7 Labs recently identified an interesting technique used by threat actors to execute a Remote Admin Tool.\r\nWe all know that WerFault.exe is used for the Windows Error Reporting. This blog describes how threat actors\r\nuse the legitimate WerFault.exe to execute Pupy RAT on the victims’ machine. \r\nFigure 1: Execution flow\r\nAnalysis of Binary \r\nStage 1 – WerFault Execution\r\nRecently we came across an ISO image, recent inventory \u0026 our specialties.iso from a twitter feed. The ISO\r\ncontains four files, a legitimate WerFault.exe,a malicious DLL named faultrep.dll, a shortcut file named recent\r\ninventory \u0026 our specialties.lnk and a XLS file named File.xls. The shortcut file has the same name as the ISO\r\nimage. When the victim opens that shortcut file, it uses scriptrunner.exe LOLBin via cmd to execute WerFault.exe\r\nfrom the ISO. \r\nhttps://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/\r\nPage 1 of 6\n\nFigure 2: ISO \u0026 shortcut file\r\nStage 2 – Pupy RAT loader\r\nOriginally, Faultrep.dll is the name of DLL used by WerFault.exe is, which is present in the default windows\r\nfolder. When WerFault.exe starts executing, it uses DLL Side-Loading technique to load the Faultrep.dll from the\r\nISO and it has a dummy export function WerpInitiateCrashReporting similar to the original DLL.This\r\nmalicious Faultrep.dll is compiled in C.\r\nThe DLL has a custom API resolving function with two arguments, DLL hash and Function hash. \r\nFigure 3: API Resolving\r\nWe noticed that this loader uses the same API resolving function as Guloader. The DLLs resolved were kernel32\r\nand advapi32. \r\nAfter resolving the APIs, it starts to serve its purpose. Using the resolved function CreateThread, it creates two\r\nthreads. The first thread opens a lure excel sheet named file.xls from the ISO. \r\nhttps://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/\r\nPage 2 of 6\n\nFigure 4: First thread opening Excel sheet\r\nWhile manually resolving the function, we found that one of the functions it resolved was SystemFunction032\r\nfrom the advapi32.dll. This function is undocumented in MSDN and on further searching we found the\r\ndocumentation on WineAPI. With that documentation, we understood that the function is used for RC4 encryption\r\nand accepts two arguments: key and data. On further analysis we found the RC4 decryption function which\r\ncontains the data and hard coded string as key. \r\nFigure 5: Second thread doing RC4 decryption\r\nThe data is pointed to the address of the overlay. So we dumped the encrypted overlay data and using the key we\r\nfurther decrypted it. After decrypting the data, we confirmed that the data is a PE file with the magic bytes.\r\nhttps://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/\r\nPage 3 of 6\n\nFigure 6: RC4 Decryption\r\nWe dumped the decrypted output data to a PE file. It was compiled with C \u0026 Python and found that it is a Pupy\r\nRAT. This RAT is loaded into the memory and executed while WerFault.exe was executing in the front.\r\nFigure 7: Decrypted PE file\r\nStage 3 – Pupy RAT\r\nPupy RAT is an open-source cross platform Remote Admin Tool available in Github According to the sources,\r\nsince 2013 it has possibly been used by APT33 and APT35 from Iran for  cyber espionage operations like the one\r\nthat was discovered in 2020 and targeted a major European energy organisation.\r\nhttps://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/\r\nPage 4 of 6\n\nFigure 8: Pupy RAT Github\r\nIt was executed from memory and based on the analysis of ReflectiveLoader function, is capable of executing any\r\nPE file in-memory, remotely. It tries to make a C2 connection in the background when the victim believes\r\nWerFault is running. Since the C2 was down at the time of analysis, RAT was unable to establish a connection for\r\ncarrying out any further malicious activity. With the XLS sheet in Chinese, we believe that the victim is from\r\nChina. \r\nFigure 9: Pupy RAT C2 connection\r\nWe at K7 Labs provide detection against latest threats and also for this newer variant of Loader. Users are advised\r\nto use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to safeguard their\r\ndevices.\r\nIoCs\r\nFilename Hash K7\r\nDetection\r\nhttps://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/\r\nPage 5 of 6\n\nName\r\nStage 1 – WerFault\r\nExecution         \r\n                                                  \r\nrecent inventory \u0026 our\r\nspecialties.iso\r\nD069812AA63B631897498621DE353519\r\nTrojan (\r\n0059ce2b1\r\n)\r\nStage 2 – Pupy RAT loader\r\nfaultrep.dll\r\n42A5798608F196CE7376CE196F4452FE\r\nTrojan (\r\n0059ce2b1\r\n)\r\nStage 3 – Pupy RAT\r\nDecrypted PupyRAT\r\nF365A8BDFD9B39C4F8B9D99613818207\r\nTrojan (\r\n0001140e1\r\n)\r\nC2\r\nhxxp[://103[.79[.76[.40/\r\nReferences\r\nhttps://twitter.com/SBousseaden/status/1603425101528956935\r\nSource: https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/\r\nhttps://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/" ], "report_names": [ "pupy-rat-hiding-under-werfaults-cover" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434770, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e727b4d17e22102c3b642861142269f55db154c.pdf", "text": "https://archive.orkl.eu/5e727b4d17e22102c3b642861142269f55db154c.txt", "img": "https://archive.orkl.eu/5e727b4d17e22102c3b642861142269f55db154c.jpg" } }