Malware News Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data

[Brownie2019]

Content source

https://hackread.com/windows-malware-pulsar-rat-live-chats-steal-data/

Researchers at Point Wild have discovered a sneaky new Windows malware campaign using the Pulsar RAT and Stealerv37. This threat hides in your computer’s memory to steal passwords, crypto, and gaming accounts, all while allowing hackers to interact with victims through a live chat window.

Cybersecurity researchers at the Lat61 Threat Intelligence Team at Point Wild have found a new type of Windows attack where the hackers actually talk back to their victims via a live chat window while they ransack their files. In research shared exclusively with Hackread.com, the team explained that this isn’t just a simple virus; it’s a full-scale digital break-in.

Full Story:

Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

hackread.com

 

[Bot]

Full Story:

Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

hackread.com

What you quoted matches a primary write-up from Point Wild’s Lat61 Threat Intelligence Team, published on January 29, 2026, and then summarized by Hackread on January 31, 2026. ([pointwild.com](https://www.pointwild.com/threat-intelligence/when-malware-talks-back))

What’s notable in this campaign (from the primary report)
The main “interesting” aspect isn’t just the RAT/stealer combo—it’s the operator interaction layer (“malware talks back”) combined with a fairly modern, stealthy execution chain:

• Living-off-the-land + in-memory execution: A batch file persists via a per-user Run key, then uses PowerShell to decrypt and inject Donut-generated shellcode into legitimate processes (fileless-style behavior). ([pointwild.com](https://www.pointwild.com/threat-intelligence/when-malware-talks-back))
• Persistence without admin: The report explicitly calls out HKCU\Software\Microsoft\Windows\CurrentVersion\Run as a persistence mechanism (no elevation required). ([pointwild.com](https://www.pointwild.com/threat-intelligence/when-malware-talks-back))
• Process injection + watchdog behavior: The PowerShell stage injects into common processes (example discussed: explorer.exe) and includes a watchdog loop to re-inject if the target process dies. ([pointwild.com](https://www.pointwild.com/threat-intelligence/when-malware-talks-back))
• Data theft and exfiltration: Stolen data is packaged (ZIP) and exfiltrated using Discord webhooks and Telegram bots per the executive summary. ([pointwild.com](https://www.pointwild.com/threat-intelligence/when-malware-talks-back))

Important naming note (to avoid confusion)
“Pulsar RAT” here is unrelated to “DoublePulsar” (the leaked NSA backdoor often mentioned with EternalBlue/WannaCry). People sometimes mix these up because of the name similarity. ([en.wikipedia.org](https://en.wikipedia.org/wiki/DoublePulsar?utm_source=openai))

Practical takeaways for MalwareTips readers
1) Don’t over-interpret “fileless = undetectable”
In-memory techniques can reduce classic on-disk signatures, but many modern security products can still catch this via behavior (PowerShell abuse, injection, unusual child processes, C2 patterns). It’s more accurate to say “harder to catch with basic/static-only approaches,” not “impossible.” ([pointwild.com](https://www.pointwild.com/threat-intelligence/when-malware-talks-back))

2) If someone suspects they’re hit by something like this
Low-risk, standard incident-response steps:

• Disconnect from the network (stop further theft/control).
• From a known-clean device: change key passwords (email first), revoke sessions/tokens where possible, and enable MFA (ideally authenticator app/hardware key).
• Run reputable scans (example approach): Windows Defender Offline scan + a second-opinion scanner (ESET Online Scanner / Malwarebytes).
• Check persistence locations with reputable sysadmin tools (Autoruns is commonly used for HKCU Run entries).
• If data theft is suspected (browser sessions, crypto wallets, Steam/Discord, etc.), assume credentials/tokens may be compromised and rotate them accordingly.

If system integrity is in doubt (especially with RAT-like control and credential theft), a clean OS reinstall with password rotation from a clean machine is often the most reliable way to return to a trusted state.

3) For defenders/admins
Focus on reducing the attack surface abused in the chain described by Point Wild:

• Harden PowerShell (logging, constrained language where feasible, block/limit unsigned scripts).
• Enable and tune Defender protections (cloud-delivered protection, Tamper Protection, Attack Surface Reduction rules where appropriate).
• Limit LOLBins abuse (AppLocker/WDAC/SRP for script hosts where feasible).
• Monitor for suspicious HKCU Run entries and PowerShell spawning patterns that inject into explorer.exe.

Sources

• When Malware Talks Back | Point Wild
• Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data
• DoublePulsar - Wikipedia

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1059.001 (Command and Scripting Interpreter) usage of PowerShell and Batch scripts (0a1a98b5f9fc7c62.bat).

T1055 (Process Injection)
Uses Donut to generate shellcode and inject payloads into explorer.exe to run purely in memory.

T1562.001 (Impair Defenses)
Disables Task Manager and UAC prompts to prevent user termination.

T1056.001 (Keylogging) & T1125 (Video Capture)
Pulsar RAT capabilities include webcam/mic surveillance and keystroke logging.

T1611 (Escape to Host)
While not a VM escape, the "Live Chat" feature represents a breaking of the "fourth wall" between attacker and victim.

CVE Profile

Pending NVD Analysis
As a zero-day campaign leveraging open-source toolkits (Pulsar/Quasar forks), specific CVEs for the delivery method are TBD.

Active Exploitation
Confirmed active in the wild (CISA KEV criteria met for "Active Exploitation" definition, though specific CVE assignment is pending).

Forensic Indicators (IOCs)

File Path %APPDATA%\Microsoft\0a1a98b5f9fc7c62.bat (Batch file dropper).

Behavior
Unexpected explorer.exe network connections; system fan spin-up due to high CPU usage from in-memory .NET assemblies.

Network
Exfiltration traffic to Discord and Telegram API endpoints.

Tools
Presence of Donut shellcode artifacts or Stealerv37 signatures.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Identification & Containment

Isolate
Immediately VLAN-isolate any endpoint exhibiting unauthorized "Live Chat" windows or flagging 0a1a98b5f9fc7c62.bat.

Hunt
Query SIEM for PowerShell execution strings referencing %APPDATA%\Microsoft and unexpected traffic to discord.com/api or api.telegram.org from non-user subnets.

Process Block
Use EDR to suspend (not just kill) explorer.exe instances with unbacked memory regions (floating code) indicative of Donut injection.

Eradication

Memory Analysis
The malware resides in memory. A simple reboot may clear the active injection, but persistence mechanisms (Registry Run Keys/Scheduled Tasks) will reinfect.

Purge
Remove the specific batch file 0a1a98b5f9fc7c62.bat and audit Task Scheduler for tasks created within the infection window.

Reset
Force a global password reset for all users on the infected machine due to the Stealerv37 component.

Recovery

Reimage
Due to the RAT's deep system integration (UAC disablement, Task Manager tampering), reimaging is the only safe option for enterprise assets.

Patch
Ensure ASR (Attack Surface Reduction) rules block obfuscated scripts and child process creation from Office/PDF apps.

Lessons Learned
Update threat intelligence feeds to track "Pulsar RAT" variants.

Conduct user training on the "Live Chat" tactic; users should be trained to disconnect power immediately rather than engage with attackers.

Remediation - THE HOME USER TRACK

Priority 1: Safety (The "Disconnect" Protocol)
If a chat window pops up or your mouse moves on its own, physically disconnect the computer from the internet immediately (unplug the Ethernet cable or disable Wi-Fi via hardware switch). Do NOT engage with the chat.

Cold Boot
Shut down the computer completely. Wait 30 seconds. Turn it back on without reconnecting to the internet.

Priority 2: Persistence Removal
Boot into Safe Mode (Hold Shift while clicking Restart -> Troubleshoot -> Advanced Options -> Startup Settings -> Restart -> Press 4).

Check specifically for the file 0a1a98b5f9fc7c62.bat in your AppData folder (Type %APPDATA% in the file explorer bar) and delete it if found.

Run a full offline scan using Microsoft Defender or a reputable second-opinion scanner (e.g., Malwarebytes) transferred via USB from a clean machine.

Priority 3: Identity Triage
Assume Compromise: The "Stealerv37" component targets Chrome/Edge passwords and cookies.

Using a different, clean device (like your phone on cellular data), change passwords for:

Email accounts (Primary target).

Banking/Crypto wallets.

Gaming accounts (Steam/Roblox).

Enable 2FA (Two-Factor Authentication) everywhere immediately.

Hardening & References

Baseline
Enable "Controlled Folder Access" in Windows Security to prevent unauthorized changes to system folders.

Framework
NIST SP 800-61r2 (Incident Handling) - Phase 2 (Detection & Analysis).

Tactical
Visual guide recommended for Home Users trying to enter Safe Mode.

System Note
This malware uses psychological pressure (Live Chat). Do not let panic dictate your response. Disconnect, Isolate, and Clean.

Source

Point Wild (Lat61 Threat Intelligence Team)

Hackread

Technical References (Contextual)

Attack Vector
"Living-off-the-land" via PowerShell

Injection Tool
Donut (Shellcode Generator)

Targeted Platforms

Discord & Telegram (Exfiltration channels)

Steam & Roblox (Gaming accounts)

NordVPN & Crypto Wallets

 

[Halp2001]

Concerning case of Pulsar RAT with its “live chat” while stealing data… almost feels like customer support, but in thief mode .

From what I understand, these threats leverage PowerShell and run in memory, with persistence in HKEY_CURRENT_USER and exfiltration via Discord/Telegram.

@Andy Ful , do you think the hardening applied by Hard_Configurator (especially the PowerShell restrictions and the strengthened Windows Firewall) could make it harder for this kind of RAT to execute or communicate?

I mention this because, while Comodo’s sandbox helps to contain the browser (thanks @ErzCrz for showing me how to run browsers this way), I’m not sure if that would be effective in this case. My impression is that Hard_Configurator could add another interesting defensive layer. Do you see it as a viable brake, or would this malware still have room to maneuver?

 

[Divergent]

Concerning case of Pulsar RAT with its “live chat” while stealing data… almost feels like customer support, but in thief mode .

From what I understand, these threats leverage PowerShell and run in memory, with persistence in HKEY_CURRENT_USER and exfiltration via Discord/Telegram.

@Andy Ful , do you think the hardening applied by Hard_Configurator (especially the PowerShell restrictions and the strengthened Windows Firewall) could make it harder for this kind of RAT to execute or communicate?

I mention this because, while Comodo’s sandbox helps to contain the browser (thanks @ErzCrz for showing me how to run browsers this way), I’m not sure if that would be effective in this case. My impression is that Hard_Configurator could add another interesting defensive layer. Do you see it as a viable brake, or would this malware still have room to maneuver?

While I'm certainly not Andy I can address this. Based on the technical details of the Pulsar RAT campaign found in the provided reports, the hardening measures applied by Hard_Configurator (H_C) would likely completely neutralize this attack chain before the RAT could establish a connection or launch the "Live Chat."

Kill Step 1
By default, H_C configures Windows to block the execution of all scripts (.bat, .cmd, .vbs, .ps1) and executables located in user-writable directories like %APPDATA% and %TEMP%.

The Windows OS would refuse to run the 0a1a98b5f9fc7c62.bat file immediately upon double-click or system trigger, displaying a "This program is blocked by group policy" message. The attack fails at step zero.

Kill Step 2
The malware "hijacks the computer’s own trusted tools, like PowerShell, to run its code entirely in the system’s memory. H_C typically enforces Constrained Language Mode (CLM) for PowerShell or blocks powershell.exe execution entirely for standard users. Even if the batch file somehow executed, the subsequent call to PowerShell would fail. In Constrained Language Mode, the complex .NET reflection required to load the "Donut" shellcode generator and perform memory injection is strictly prohibited.

Kill Step 3
The malware needs to communicate with discord.com/api and api.telegram.org to receive commands and exfiltrate data (passwords, cookies, crypto wallets). The "Strengthened Windows Firewall" (often using the Recommended H_C Firewall Rules) creates block rules for "LOLBins" (Living Off The Land Binaries). This explicitly blocks powershell.exe, wscript.exe, and cscript.exe from making any outbound network connections. Even if the PowerShell script ran (bypassing SRP), it would be unable to download the secondary payload (Stealerv37) or send the initial "check-in" beacon to the attacker's Discord webhook.

The malware attempts to inject code into explorer.exe. explorer.exe is a trusted Windows process and is almost always allowed through firewalls to let the user browse the web. If the malware successfully injects into explorer.exe, the firewall might allow the traffic because it appears to come from a trusted process. This highlights why the SRP (Batch file block) and PowerShell restrictions are the most critical layers. They prevent the injection from ever happening. Relying on the firewall alone might be risky if the injection succeeds, but the full H_C suite stops the injection at the source.

 

[Halp2001]

While I'm ce

While I'm certainly not Andy I can address this. Based on the technical details of the Pulsar RAT campaign found in the provided reports, the hardening measures applied by Hard_Configurator (H_C) would likely completely neutralize this attack chain before the RAT could establish a connection or launch the "Live Chat."

Thank you for such a clear explanation . Every contribution I receive in these threads feels like a gift, because it always helps me broaden my understanding and learn nuances I might otherwise miss. I truly value your input and welcome it with gratitude, as it enriches the exchange and strengthens the community.

 

[Andy Ful]

@Andy Ful , do you think the hardening applied by Hard_Configurator (especially the PowerShell restrictions and the strengthened Windows Firewall) could make it harder for this kind of RAT to execute or communicate?

Yes:

1. The initial batch file will be blocked.
2. If not, the dropped PowerShell script will be blocked.
3. If not, the payload will not be decoded due to PowerShell Constrained Language Mode.
4. If not, the shellcode will not be injected into Explorer due to PowerShell Constrained Language Mode.

I mention this because, while Comodo’s sandbox helps to contain the browser (thanks @ErzCrz for showing me how to run browsers this way), I’m not sure if that would be effective in this case. My impression is that Hard_Configurator could add another interesting defensive layer. Do you see it as a viable brake, or would this malware still have room to maneuver?

Comodo can block the attack if properly configured (via the Script Analysis feature). The batch and PowerShell scripts will be contained.

 

[Halp2001]

Yes:

1. The initial batch file will be blocked.
2. If not, the dropped PowerShell script will be blocked.
3. If not, the payload will not be decoded due to PowerShell Constrained Language Mode.
4. If not, the shellcode will not be injected into Explorer due to PowerShell Constrained Language Mode.

Comodo can block the attack if properly configured (via the Script Analysis feature). The batch and PowerShell scripts will be contained.

Thank you very much, @Andy Ful . Your explanation gives me a very clear view of how Hard_Configurator acts step by step against this type of threat. For me, it is extremely valuable to have the direct perspective of the tool’s developer (without diminishing @Divergent ’s detailed contribution), because it turns theory into something practical and trustworthy. I truly appreciate you sharing this knowledge with the community, as it helps us better understand the defenses and feel more confident when applying them.

 

[Sorrento]

I doesn't say in what circumstances you would end up chatting to these people, does it hijack other chat modules?? It does seem you have to be the bluntest knife in the drawer to get into this situation??

 

[Parkinsond]

I doesn't say in what circumstances you would end up chatting to these people, does it hijack other chat modules?? It does seem you have to be the bluntest knife in the drawer to get into this situation??

Says starts with a file in AppData folder; not explaining how it reached there at the first place.

 

[Sorrento]

What edjit would engage in any live chat if such appeared? Don't engage, image back, format, switch router off whatever surely?? Its our thinking ability that needs hardening here it seems?
Storm in a tea cup??

 

[Parkinsond]

What edjit would engage in any live chat if such appeared? Don't engage, image back, format, switch router off whatever surely?? Its our thinking ability that needs hardening here it seems?

The story is missing some parts.

 

[Andy Ful]

The story is missing some parts.

The simplest missing part:
Chat, Forum discussions, Phishing, etc. ---> download ZIP archive with embedded shortcut (PDF icon) + hidden .bat + .pdf

The user can see only something that looks like a PDF document. After opening, the shortcut runs the .bat file, which opens a benign .pdf, copies itself to %AppData%\Microsoft, adds persistence via the registry Run key, and infects the system.

 

[Divergent]

The "Live Chat" Feature
You asked if the "Live Chat" implies a hijack of your own tools. It does not; it is a built-in feature of the RAT itself used for direct interaction by the attacker.

Source
Point Wild & ThreatMon

Evidence
Technical reports on Pulsar RAT (and its predecessor Quasar RAT) confirm it includes a "Remote Control with Live Chat" module. This is a custom window the attacker opens on your desktop to communicate with you (often for extortion), rather than a hijack of your WhatsApp or Slack.

Link: Point Wild: When Malware Talks Back


Hijacking Discord & Telegram (Token Stealing)
You asked if it hijacks other modules. Yes, it specifically targets session "tokens" to bypass passwords.

Source
VirusTotal & ThreatMon

Evidence
Analysis of the "Stealerv37" payload (often used with Pulsar) shows it targeting discord.com/api and api.telegram.org. It uses the "Kematian Stealer" module to extract authentication tokens from these apps, allowing attackers to log in as you without needing your password or 2FA.

Link: ThreatMon: Understanding Pulsar RAT

The "Bluntest Knife" (Social Engineering)
You questioned about needing to be "stupid" to get infected. Recent campaigns prove this false by targeting technical experts.

Source
SC Media & The Hacker News

Evidence
A recent campaign found Pulsar RAT hidden inside complex, obfuscated npm and PyPI packages (coding libraries). Developers who simply typed npm install [package-name] to do their job were instantly infected. This proves that infection often comes from "trusted" technical workflows, not just "clicking dumb links."

Link: SC Media: Complex npm attack uses 7-plus layers of obfuscation to spread Pulsar RAT