From infostealer to full RAT: dissecting the PureRAT attack chain
An investigation into what appeared at first glance to be a “standard” Python-based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full-featured, commercially available remote access trojan (RAT) known as PureRAT.
Indicators of Compromise
- ip: 157.66.26.209
- hash: 8697103bed75b09df59d9bb3a86eca32
- hash: ffd6f164c9f9248604e819b7b584c9d2907c967d
- hash: 06fc70aa08756a752546198ceb9770068a2776c5b898e5ff24af9ed4a823fd9d
- hash: f5e9e24886ec4c60f45690a0e34bae71d8a38d1c35eb04d02148cdb650dd2601
- hash: f6ed084aaa8ecf1b1e20dfa859e8f34c4c18b7ad7ac14dc189bc1fc4be1bd709
From infostealer to full RAT: dissecting the PureRAT attack chain
Description
An investigation into what appeared at first glance to be a “standard” Python-based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full-featured, commercially available remote access trojan (RAT) known as PureRAT.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.bleepingcomputer.com/news/security/from-infostealer-to-full-rat-dissecting-the-purerat-attack-chain/"]
- Adversary
- null
- Pulse Id
- 68e96e29b73e5334019b8810
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip157.66.26.209 | CC=JP ASN=ASNone |
Hash
| Value | Description | Copy |
|---|---|---|
hash8697103bed75b09df59d9bb3a86eca32 | MD5 of f6ed084aaa8ecf1b1e20dfa859e8f34c4c18b7ad7ac14dc189bc1fc4be1bd709 | |
hashffd6f164c9f9248604e819b7b584c9d2907c967d | SHA1 of f6ed084aaa8ecf1b1e20dfa859e8f34c4c18b7ad7ac14dc189bc1fc4be1bd709 | |
hash06fc70aa08756a752546198ceb9770068a2776c5b898e5ff24af9ed4a823fd9d | — | |
hashf5e9e24886ec4c60f45690a0e34bae71d8a38d1c35eb04d02148cdb650dd2601 | — | |
hashf6ed084aaa8ecf1b1e20dfa859e8f34c4c18b7ad7ac14dc189bc1fc4be1bd709 | — |
Threat ID: 68e96e4d4338e1ae7d84ca8e
Added to database: 10/10/2025, 8:36:29 PM
Last updated: 11/25/2025, 1:02:33 AM
Views: 92
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-11-24
MediumShai Hulud npm Worm Impacts 26,000+ Repos in Supply Chain Attack Including Zapier, ENS and Postman
MediumShai Hulud npm Worm Infects 19,000 Packages in Major Supply Chain Attack
Medium⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More
MediumFake Prettier Extension on VSCode Marketplace Dropped Anivia Stealer
MediumActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.