Introduction
A new wave of cyberattacks is targeting Russian organizations, leveraging a sophisticated malware campaign that deploys the PureRAT backdoor and the PureLogs information stealer. First identified by cybersecurity firm Kaspersky, this phishing campaign has seen a significant increase in activity, especially during early 2025, raising serious concerns about the security landscape for Russian businesses. This article explores the technical methodology behind the attacks, the malware components involved, and the broader implications for corporate cybersecurity.
Surge in Attacks: An Alarming Trend
Kaspersky reports that the phishing campaign against Russian organizations began in March 2023. However, the scale of the attacks has increased dramatically, with a fourfold rise in the number of incidents during the first third of 2025 compared to the same timeframe in 2024. While no specific threat actor has been publicly identified, the sophistication of the malware and the precision of the delivery method suggest a well-coordinated operation.
Initial Vector: Phishing Emails and Malicious Archives
The attack chain begins with a phishing email containing either a RAR archive or a link to a downloadable archive. These files are cleverly disguised using double extensions (e.g., "doc_054_[redacted].pdf.rar") to appear as Microsoft Word or PDF documents, thereby increasing the likelihood of the recipient opening them.
Inside the archive lies an executable file which, once launched, copies itself to the compromised system’s “%AppData%” directory under the name “task.exe.” It also creates a Visual Basic Script (VBS) file named “Task.vbs” in the Startup folder to ensure persistence upon system reboot.
Multi-Stage Payload Deployment
Following the initial execution, “task.exe” extracts and runs another executable named “ckcfb.exe.” This program, in turn, utilizes the Windows utility “InstallUtil.exe” to inject a decrypted module into memory. During this process, “ckcfb.exe” extracts a DLL file, “Spydgozoi.dll,” which contains the core functionality of the PureRAT malware.
PureRAT then establishes secure SSL communication with its command-and-control (C2) server and transmits key system data, including antivirus software status, device name, and uptime. Based on this data, the C2 server dispatches specialized modules designed for further malicious activity.
Malicious Modules and Capabilities
PureRAT comes equipped with multiple malicious plugins:
-
PluginPcOption: Executes commands for self-deletion, restarts the executable, or shuts down/reboots the system.
-
PluginWindowNotify: Monitors active window titles for keywords like “password,” “bank,” or “WhatsApp,” and initiates further actions such as unauthorized transactions.
-
PluginClipper: Intercepts and modifies clipboard contents, particularly cryptocurrency wallet addresses, replacing them with those controlled by the attacker.
In addition, PureRAT includes capabilities for keylogging, remote desktop control, webcam and microphone access, registry manipulation, and full access to the file system and running processes.
Parallel Infection Path: PureCrypter and PureLogs
Alongside the execution of “ckcfb.exe,” the malware extracts a second binary—“StilKrip.exe”—which acts as a downloader tool known as PureCrypter. This commercial malware loader has been in circulation since 2022 and is used to fetch additional payloads.
“StilKrip.exe” downloads a file named “Bghwwhmlr.wav,” which follows a similar procedure to execute “InstallUtil.exe” and launch “Ttcxxewxtly.exe.” This executable, in turn, unpacks and runs the final DLL payload—“Bftvbho.dll”—which is identified as PureLogs.
PureLogs is an advanced information stealer designed to extract sensitive data from various software applications, including web browsers, VPNs, email clients, messaging platforms, password managers, and FTP tools such as FileZilla and WinSCP.
Impact and Conclusion
The combined capabilities of PureRAT and PureLogs provide threat actors with comprehensive access to infected systems, allowing for the exfiltration of sensitive corporate data and unauthorized remote control. Kaspersky emphasizes that the primary attack vector remains phishing emails with malicious attachments or links—a tactic that continues to yield significant results for cybercriminals.
Given the increasing sophistication of these attacks, organizations must reinforce their email security, adopt robust endpoint detection systems, and educate employees on recognizing phishing attempts. The evolving threat landscape demands proactive defense strategies to prevent such intrusions and protect critical business operations.
0 Comments