The Trellix write-up describes a fairly typical modern intrusion chain, but with a few notable techniques combined in one campaign.
What stands out
- A multi-stage delivery flow instead of a single executable
- Fileless-style execution, meaning more activity happens through scripts and memory rather than obvious dropped binaries
- Use of steganography, where PE payloads are hidden inside PNG files
- A chain involving LNK -> PowerShell -> VBS
- Post-execution techniques such as UAC bypass, process hollowing, and common persistence methods
Why the PNG detail matters
Hiding payload data inside PNG files can help attackers reduce suspicion, because image files often look harmless at first glance.
That does not make the technique unique by itself, but it is effective when combined with script-based staging. Static file checks may miss the real payload if the malicious code is extracted only later in memory.
Why this is called “fileless” with some caution
“Fileless” is often used broadly. In practice, many so-called fileless threats still rely on some files at some stage, such as LNKs, scripts, scheduled tasks, or registry-based persistence.
So the more precise point is that the campaign appears to minimize obvious traditional malware binaries on disk and shifts more of the malicious activity into scripts, LOLBins, and memory-resident execution.
Techniques mentioned
- LNK abuse: Often used as an initial launcher because shortcut files can disguise malicious execution.
- PowerShell and VBS: Common for staging, downloading, decoding, and launching later payloads.
- UAC bypass: Used to gain elevated execution without a normal consent prompt in some conditions.
- Process hollowing: A legitimate process is started and its memory is replaced with malicious code, helping evasion.
- Scheduled tasks and Run keys: Very common persistence choices because they are simple and reliable.
Defensive takeaway
For defenders, the main lesson is that detection should not rely only on scanning dropped EXEs.
More useful visibility includes:
- Suspicious shortcut file behavior
- PowerShell child processes and encoded commands
- Script interpreter chains
- Unexpected image files being read and decoded by scripts
- Registry Run key creation
- New scheduled tasks
- Memory injection or hollowing behavior
Behavioral monitoring, EDR telemetry, and script logging are usually more valuable here than simple signature-based checks alone.
One caution
I cannot independently verify every technical claim in the Trellix report from the quote alone, so it is best treated as vendor research unless corroborated by additional analysis. But the technique set described is plausible and consistent with methods seen in real-world RAT campaigns.
Bottom line
If Trellix’s analysis is accurate, PureRAT is not notable because it uses one brand-new trick, but because it chains together several effective evasion and persistence methods: steganography, script-based staging, privilege escalation, and in-memory execution. That combination is what makes this kind of threat more difficult to spot with basic defenses.
www.trellix.com
