The Pulsar RAT malware campaign represents a modern, highly evasive Windows threat leveraging multiple advanced techniques to maintain stealth and persistence. The infection chain initiates with a concealed batch file that executes an embedded PowerShell loader. This loader then injects shellcode generated by the Donut tool into legitimate Windows processes, enabling in-memory execution that bypasses traditional disk-based detection mechanisms. The final payload is a heavily obfuscated .NET framework designed to resist reverse engineering and analysis through advanced anti-analysis techniques. Functionally, Pulsar RAT harvests credentials, conducts surveillance on the infected system, and provides remote system control to the attacker. Notably, it exfiltrates stolen data using Discord webhooks and Telegram bots, leveraging popular communication platforms to blend malicious traffic with legitimate network activity. The malware also features live chat capabilities, allowing attackers to interact in real-time with compromised hosts, and supports background payload deployment for ongoing operations. The use of living-off-the-land binaries and scripts (e.g., PowerShell) complicates detection, as these are legitimate system tools often whitelisted in enterprise environments. Although no known exploits are currently reported in the wild, the campaign’s sophisticated techniques and multi-stage infection chain make it a significant medium-level threat, particularly for organizations with Windows-based infrastructure and remote connectivity. The presence of multiple file hashes provides indicators of compromise for detection and response efforts.

For European organizations, the Pulsar RAT campaign poses a substantial risk to confidentiality, integrity, and availability of critical systems and data. The malware’s credential harvesting capability can lead to unauthorized access to sensitive systems, enabling lateral movement and further compromise. Surveillance and remote control features threaten operational integrity and can facilitate espionage or sabotage. Data exfiltration through Discord and Telegram channels may bypass conventional network monitoring tools, increasing the risk of undetected data breaches. Organizations with remote workforces or those relying heavily on Windows environments are particularly vulnerable, as the malware exploits legitimate tools like PowerShell and process injection to evade detection. The long-term persistence and live chat functionality suggest attackers can maintain ongoing access, increasing the potential scale and duration of impact. This could lead to intellectual property theft, regulatory non-compliance (e.g., GDPR violations), financial losses, and reputational damage. The medium severity rating reflects the complexity and stealth of the malware, which may delay detection and remediation efforts.

1. Implement advanced endpoint detection and response (EDR) solutions capable of monitoring and alerting on living-off-the-land techniques such as PowerShell execution, process injection, and in-memory shellcode execution. 2. Enforce strict PowerShell logging and enable script block logging to capture suspicious script activity. 3. Monitor network traffic for unusual or unauthorized connections to Discord webhooks and Telegram bot endpoints, and consider blocking or restricting these services at the network perimeter where appropriate. 4. Use application whitelisting to limit execution of unauthorized batch files and scripts, especially those launched from user directories or temporary locations. 5. Conduct regular credential audits and enforce multi-factor authentication (MFA) to reduce the impact of credential theft. 6. Employ behavioral analytics to detect anomalies such as live chat communications initiated by unknown processes. 7. Maintain updated threat intelligence feeds and integrate IoCs (hashes provided) into security tools for proactive detection. 8. Educate users on phishing and social engineering risks, as initial infection vectors often rely on user interaction. 9. Regularly patch and harden Windows systems to reduce attack surface, even though this malware uses living-off-the-land techniques. 10. Prepare incident response plans that include procedures for detecting and eradicating in-memory and obfuscated malware.