{ "id": "3cedb904-39d3-4ae3-bcf3-bc82a2f6a0ce", "created_at": "2026-04-06T00:14:51.731558Z", "updated_at": "2026-04-10T03:20:18.44609Z", "deleted_at": null, "sha1_hash": "f91e16bec89f9bedff5aa0cd80390f0e2fd6919e", "title": "PureRAT = ResolverRAT = PureHVNC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 262128, "plain_text": "PureRAT = ResolverRAT = PureHVNC\r\nBy Erik Hjelmvik\r\nPublished: 2025-08-12 · Archived: 2026-04-05 22:46:10 UTC\r\n, \r\nTuesday, 12 August 2025 15:43:00 (UTC/GMT)\r\nPureRAT is a Remote Access Trojan, which can be used by an attacker to remotely control someone else’s PC.\r\nPureRAT provides the following features to an attacker:\r\nSee the victims user interface\r\nInteract with the victim PC using mouse and keyboard\r\nView the webcam\r\nListen to the microphone\r\nRecord keystrokes\r\nUpload and download files\r\nProxy network traffic through victim\r\nWhat the PureRAT user interface looks like to the attacker\r\nPureRAT is the exact same malware as what Morphisec and others call ResolverRAT. PureHVNC, on the other\r\nhand, is the predecessor to PureRAT. These three malware names are all used by threat intel companies and\r\nresearchers when referring to the same malware family. We will call this malware family “PureRAT” in this blog\r\npost.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-08\u0026post=PureRAT-ResolverRAT-PureHVNC\r\nPage 1 of 3\n\nIndicators of PureRAT\r\nMalware analysts might recognize PureRAT through properties like these ones:\r\nLoader is a .NET executable obfuscated with Eazfuscator.NET\r\nPayload is AES-256 encrypted in CBC mode\r\nPayload is gzip compressed\r\nExtracted PureRAT payload is a DLL\r\nPureRAT DLL is packed with .NET Reactor\r\nA handler is registered for the ResourceResolve event to inject a malicious .NET assembly\r\nSee analysis by eSentire, Morphisec, Kaspersky, Fortinet and 0xlibris for more reverse engineering details on\r\nPureRAT and related software from the PureCoder developer(s).\r\nAnother way to identify the malware is to run it in a sandbox and inspect the network traffic. The following\r\ncharacteristics are typical indicators of PureRAT:\r\nC2 TCP port is often 56001, 56002 or 56003\r\nClient (bot) first sends 04 00 00 00 (in hex), followed by a TLS handshake\r\nClient and server run TLS 1.0\r\nX.509 cert is self signed\r\nX.509 cert expires 9999-12-31 23:59:59 UTC\r\nAs you can see in the flow transcript above, CapLoader currently identifies this traffic as “ResolverRAT”. This\r\ndetection will most likely be changed to “PureRAT” in future versions of CapLoader.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-08\u0026post=PureRAT-ResolverRAT-PureHVNC\r\nPage 2 of 3\n\nIOC List\r\nHere are some IP:port tuples for C2 servers used by recent samples of PureRAT:\r\n193.26.115.125:8883\r\npurebase.ddns[.]net:8883\r\n45.74.10.38:56001\r\n139.99.83.25:56001\r\nPosted by Erik Hjelmvik on Tuesday, 12 August 2025 15:43:00 (UTC/GMT)\r\nTags: #PureCoder\r\nShort URL: https://netresec.com/?b=2589522\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2025-08\u0026post=PureRAT-ResolverRAT-PureHVNC\r\nhttps://www.netresec.com/?page=Blog\u0026month=2025-08\u0026post=PureRAT-ResolverRAT-PureHVNC\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.netresec.com/?page=Blog\u0026month=2025-08\u0026post=PureRAT-ResolverRAT-PureHVNC" ], "report_names": [ "?page=Blog\u0026month=2025-08\u0026post=PureRAT-ResolverRAT-PureHVNC" ], "threat_actors": [], "ts_created_at": 1775434491, "ts_updated_at": 1775791218, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f91e16bec89f9bedff5aa0cd80390f0e2fd6919e.pdf", "text": "https://archive.orkl.eu/f91e16bec89f9bedff5aa0cd80390f0e2fd6919e.txt", "img": "https://archive.orkl.eu/f91e16bec89f9bedff5aa0cd80390f0e2fd6919e.jpg" } }