EXECUTIVE SUMMARY:
The multi-stage malware campaign that leverages advanced evasion techniques to infiltrate Windows systems while minimizing detection. The campaign begins with a hidden batch file persisted through a per-user Run registry key, designed to execute without requiring elevated privileges. This batch file extracts and executes an embedded PowerShell loader, which in turn decrypts a Donut-generated shellcode injected into legitimate system processes. The malware is modular, featuring both a full-fledged stealer and remote access framework implemented in .NET. It exhibits advanced anti-analysis mechanisms, including anti-VM, anti-debugging, and process injection detection, which allow it to evade traditional antivirus and behavioral monitoring systems. Stolen data, including credentials and system information, is exfiltrated using popular communication platforms such as Discord and Telegram. Overall, the introduction emphasizes the growing sophistication of Windows malware, the increasing use of in-memory loaders, and the campaign’s focus on stealth, resilience, and long-term persistence in compromised systems, setting the stage for a detailed technical analysis.
The in-depth technical breakdown of the malware’s stages, starting with the obfuscated batch file. This file ensures persistence by creating hidden directories in the user profile and registering itself in the Run key, executing a temporary PowerShell script that self-cleans after execution. The PowerShell stage decodes an embedded Base64 payload, which is XOR-processed and loaded directly into memory using Shellcode-Donut. The loader establishes a Win32 interop layer to perform process injection via CreateRemoteThread, allocating executable memory in a target process such as explorer.exe. The malware implements a watchdog mechanism that monitors injected processes, re-injecting shellcode if a process terminates, maintaining long-term persistence. This stage also facilitates process migration, selecting stable system processes like svchost.exe to host malicious payloads and evade detection. Advanced features include credential harvesting, system surveillance, and modular extensions, showcasing a high level of sophistication and highlighting the challenges of detecting in-memory, modular .NET malware.
The investigation concludes that the malware campaign represents a modern, high-evasion threat capable of large-scale data theft and long-term system compromise. Its modular architecture, stealthy in-memory execution, and persistent watchdog mechanisms exemplify contemporary malware trends targeting Windows environments. The campaign’s use of legitimate processes, anti-analysis techniques, and encrypted communication channels underscores the increasing difficulty of defending against such operations. By leveraging living-off-the-land tactics and process migration, the malware achieves sustained access while minimizing forensic traces. The analysis highlights the growing importance of behavioral monitoring, memory analysis, and advanced threat hunting to detect such campaigns. Ultimately, the study emphasizes that organizations must adopt proactive, multi-layered defenses to counteract sophisticated malware campaigns that combine RAT functionalities, information theft, and resilient execution techniques, reflecting the evolving landscape of targeted cyber threats.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information | - |
| T1055 | Process Injection | - | |
| T1218 | System Binary Proxy Execution | - | |
| Credential Access | T1555 | Credentials from Password Stores | - |
| T1003 | OS Credential Dumping | - | |
| Discovery | T1082 | System Information Discovery | - |
| T1057 | Process Discovery | - | |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071 | Application Layer Protocol | - |
| T1105 | Ingress Tool Transfer | - | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Anti-Behavioral Analysis | B0009 | Virtual Machine Detection |
| B0001 | Debugger Detection | |
| Collection | F0002 | Keylogging |
| E1113 | Screen Capture | |
| Command and Control | B0030 | C2 Communication |
| Execution | B0011 | Remote Commands |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/pulsar-rat-attacking-windows-systems/
https://www.pointwild.com/threat-intelligence/when-malware-talks-back