Cybersecurity experts have uncovered a new malware campaign using a loader called PureCrypter to distribute the DarkVision remote access trojan (RAT). First detected by a researcher in July 2024, this multi-phase attack deploys the RAT through an elaborate process designed to compromise systems.
DarkVision RAT uses a custom protocol to communicate with its command-and-control (C2) server, offering attackers a variety of tools such as keylogging, remote access, password theft, audio recording, and screen capture. This RAT is a potent threat, packed with numerous features that make it highly attractive to cybercriminals.
PureCrypter, originally revealed in 2022, is a subscription-based malware loader designed to deliver various types of malicious software, including RATs, ransomware, and information stealers. The exact method by which PureCrypter initially gains access to systems remains unclear.
However, once it does, it triggers a sequence that ultimately delivers the DarkVision RAT, using techniques like unpacking and decrypting the open-source Donut loader. From there, persistence is ensured by scheduling tasks and altering Microsoft Defender Antivirus exclusions.
The DarkVision RAT, introduced in 2020, has since become popular due to its affordability—priced at just $60 for a one-time payment—and its powerful capabilities.
Written in C++ and assembly for enhanced performance, it allows attackers to carry out several malicious activities, including process injection, remote shell access, clipboard manipulation, and cookie theft. In addition to these functionalities, it can also download additional plugins from the C2 server, granting attackers full control over infected systems.
DarkVision’s low cost, combined with its availability on hacker forums, has made it increasingly attractive to both experienced attackers and novice cybercriminals seeking to execute their own attacks. Its versatility and ease of use continue to make it a prominent tool in malware campaigns.
In a related finding, another new malware loader, dubbed Pronsis Loader, has emerged in campaigns delivering other threats such as Lumma Stealer and Latrodectus. A report reveals that this loader bears similarities to another malware, D3F@ck Loader, though they differ in their installation methods.
To prevent such malware attacks, organizations and individuals must prioritize robust cybersecurity practices. Regularly updating software, using strong antivirus solutions, and avoiding suspicious downloads are critical. Proactive monitoring and timely patch management are also essential to ensure system defenses remain strong against evolving threats.