The analyzed threat revolves around a sophisticated malware campaign dubbed 'ClickFix,' which employs a multi-tool ecosystem developed by an adversary group or individual known as PureCoder. The campaign utilizes several components, including a Rust-based loader, the PureHVNC Remote Access Trojan (RAT), and the Sliver command-and-control (C2) framework. The forensic analysis by Check Point Research reveals that PureHVNC RAT is a modular and feature-rich malware capable of executing a wide range of commands and plugins, enabling attackers to perform reconnaissance, persistence, credential theft, lateral movement, and data exfiltration. The investigation also uncovered a PureRAT builder tool, which facilitates the creation of customized RAT payloads, and a PureCrypter tool designed to obfuscate and evade detection. The malware ecosystem is linked to GitHub accounts associated with PureCoder, providing insights into the developer’s operational timezone (UTC+0300) and suggesting potential geographic origins. The campaign’s use of Rust for the loader indicates an emphasis on stealth and performance, while the integration with Sliver C2 framework highlights the attackers’ capability to maintain robust command and control infrastructure. The malware employs numerous tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK, including credential dumping, process injection, persistence mechanisms, and command obfuscation, reflecting a mature and adaptable threat actor. Although no known exploits in the wild have been reported, the comprehensive capabilities and modularity of the Pure malware family pose a significant risk to targeted environments.

For European organizations, the Pure malware ecosystem represents a medium-severity threat with potential to disrupt operations, compromise sensitive data, and facilitate espionage or financial theft. The RAT’s extensive command set and plugins enable attackers to gain persistent access, move laterally within networks, and exfiltrate confidential information. Organizations in sectors such as finance, government, critical infrastructure, and technology are particularly at risk due to the potential value of the data targeted and the strategic importance of these sectors. The use of a Rust loader and advanced obfuscation techniques complicates detection and incident response efforts, increasing dwell time and potential damage. Additionally, the malware’s modular builder tools lower the barrier for customization and deployment, potentially expanding the threat’s reach. While no active exploits have been reported, the presence of detailed intelligence and tooling in public repositories suggests a risk of future campaigns leveraging these capabilities. European entities must be vigilant against targeted phishing or spear-phishing campaigns, as the malware’s initial infection vector is associated with the ClickFix campaign, which likely involves social engineering.

To mitigate the threat posed by the Pure malware ecosystem, European organizations should implement targeted and advanced defensive measures beyond standard best practices. These include: 1) Deploying endpoint detection and response (EDR) solutions capable of identifying Rust-based loaders and unusual process injection behaviors; 2) Monitoring network traffic for anomalies consistent with Sliver C2 communications, including uncommon protocols or encrypted outbound connections to suspicious domains; 3) Implementing strict application whitelisting and code signing policies to prevent unauthorized execution of builder-generated payloads; 4) Conducting regular threat hunting exercises focused on MITRE ATT&CK techniques associated with Pure malware, such as credential dumping (T1003), persistence (T1547), and process injection (T1055); 5) Enhancing phishing awareness training tailored to the ClickFix campaign’s social engineering tactics; 6) Restricting administrative privileges and employing multi-factor authentication to limit lateral movement and credential abuse; 7) Utilizing threat intelligence feeds to update detection rules with indicators of compromise (IOCs) related to PureCoder’s tools and infrastructure; 8) Reviewing and hardening GitHub and other developer platform monitoring to detect potential leakages or tool updates; and 9) Establishing incident response playbooks specific to RAT infections and C2 framework intrusions to reduce response times and impact.