Pulsar RAT Malware Campaign Exploits Windows “Living off the Land” Techniques for Silent Long-Term Theft

Listen to this Post

Featured Image

Introduction: A Quiet Malware That Refuses to Leave Traces

A new malware campaign known as Pulsar RAT is quietly targeting Windows systems using stealth-first techniques designed to evade traditional security tools. Instead of dropping obvious malicious files, this threat abuses trusted Windows components already present on the system—a strategy widely known as living off the land. By hiding in memory, abusing registry persistence, and injecting itself into legitimate processes, Pulsar RAT represents a growing class of modular .NET malware that prioritizes invisibility over brute force.

Overview of the Pulsar RAT Campaign

Pulsar RAT is a multi-stage malware operation built to remain hidden while maintaining deep control over infected machines. It combines credential theft, remote access capabilities, and surveillance features such as webcam and microphone monitoring. What makes it particularly dangerous is its reliance on legitimate Windows binaries and public offensive tools, making detection far more difficult for signature-based antivirus solutions.

Living Off the Land: Why Pulsar RAT Is Hard to Detect

Instead of deploying large executable files, Pulsar RAT leverages tools already installed on Windows systems, such as cmd.exe, PowerShell, and trusted system processes like explorer.exe and svchost.exe. By doing so, the malware blends into normal system activity, dramatically reducing the chance of raising alarms during routine scans.

Stage One: Registry-Based Persistence Through a Hidden Batch File

The infection chain begins with a small batch file placed inside a randomly named directory under %APPDATA%\Microsoft. This file is registered for persistence using the Windows Run registry key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

Every time the user logs in, the batch file executes silently via cmd.exe, ensuring the malware survives reboots without requiring elevated privileges.

Self-Decoding Malware Logic Inside the Batch File

Rather than fetching external scripts immediately, the batch file contains an embedded Base64-encoded payload hidden inside comments. At runtime, it decodes its own content and writes a temporary PowerShell script into the %TEMP% directory. Once executed with execution policy bypassed, the batch file deletes the temporary artifacts, leaving almost no forensic footprint behind.

Stage Two: PowerShell Loader and Memory Injection

The PowerShell script performs the most critical tasks in the attack chain. It XOR-decrypts shellcode generated by the open-source Donut loader, then deliberately pauses execution for approximately 80 seconds. This delay is designed to bypass sandbox environments and automated malware analysis tools that rely on short execution windows.

Process Injection Into Trusted Windows Services

After the delay, the PowerShell loader injects the decrypted shellcode into svchost.exe using Windows API calls such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. If the injected process is terminated, a watchdog loop reinjects the payload into explorer.exe, ensuring continued execution.

Stage Three: In-Memory .NET Payload Deployment

The injected Donut shellcode decrypts its final payload using the Chaskey cipher, resulting in a .NET executable known as Client.exe. This file never touches disk in its decrypted form. Instead, it loads additional components—Pulsar.Common.dll and Stealer37.dll—directly into memory.

Modular Design Enhances Stealth and Flexibility

This modular architecture allows attackers to update or swap components without rewriting the entire malware. It also makes reverse engineering significantly harder, as analysts must reconstruct multiple in-memory assemblies rather than analyze a single executable file.

Breakdown of the Infection Chain

Each stage of the Pulsar RAT campaign serves a specific purpose, from persistence to execution and data theft. The structured, layered approach reflects a professional-grade malware operation optimized for long-term access rather than quick exploitation.

Pulsar RAT Remote Access Capabilities

Once fully deployed, Pulsar RAT grants attackers extensive control over infected systems. Capabilities include remote shell access, disabling the task manager, manipulating UAC settings, and executing arbitrary commands—all without alerting the user.

Advanced Surveillance and Host Profiling

Beyond remote access, Pulsar RAT actively profiles the infected system. It captures screenshots, records audio through the microphone, streams webcam feeds, and monitors clipboard activity to intercept cryptocurrency wallet addresses. This level of surveillance suggests both financial and intelligence-gathering motives.

Anti-Analysis and Anti-Detection Features

The malware continuously scans for debugging tools such as x64dbg and dnSpy, as well as signs of virtualized environments. If analysis indicators are detected, the malware can alter behavior or terminate execution, complicating sandbox-based detection.

Stealer37: Targeting Over 100 Applications

The Stealer37 module is responsible for credential theft across a wide range of applications. These include browsers, VPN clients, FTP tools, remote desktop software, gaming platforms, and popular messaging apps like Discord and Telegram.

Credential Theft at Massive Scale

By targeting more than 100 applications, Pulsar RAT significantly increases the likelihood of harvesting valuable credentials. Browser-stored passwords, VPN logins, and remote administration credentials all provide attackers with opportunities for lateral movement or resale on underground markets.

Data Packaging and Exfiltration Methods

Stolen data is compressed into ZIP archives containing summary files such as IntelIX.txt, which catalog the victim’s system information and harvested credentials. These archives are exfiltrated using Discord webhooks or Telegram bots, blending malicious traffic into legitimate cloud-based communication platforms.

Command-and-Control Infrastructure

Observed command-and-control activity includes connections to endpoints such as 185.132.53.17:7800. Using non-standard ports and common protocols further helps the malware avoid network-based detection systems.

MITRE ATT&CK Technique Mapping

Pulsar RAT aligns with multiple MITRE ATT&CK techniques, including process injection, PowerShell abuse, security tool impairment, and heavy obfuscation. This mapping confirms the campaign’s reliance on well-documented but still highly effective attack vectors.

Detection Challenges and Defensive Measures

Traditional antivirus solutions often struggle against fileless malware like Pulsar RAT. Behavioral monitoring, memory inspection, and registry auditing are far more effective than signature-based detection in identifying this type of threat.

Remediation and Cleanup Recommendations

Infected systems should be rebooted into Safe Mode and scanned with behavior-aware security tools. Analysts report successful detection under names such as Trojan_210126_Donut_Client, particularly when behavioral indicators override anti-VM evasion tactics.

Known Hashes and Artifacts

Several cryptographic hashes have been associated with the Pulsar RAT campaign, offering defenders potential indicators of compromise for threat hunting and forensic investigations.

Long-Term Implications of the Campaign

This malware operation highlights how attackers increasingly blend public offensive tools with custom code to achieve stealth and persistence. The approach lowers development costs while maintaining high effectiveness.

What Undercode Say:

Pulsar RAT is not just another Windows stealer—it is a blueprint for where modern malware is heading. The campaign demonstrates a clear shift away from noisy exploits and toward quiet, memory-resident threats that exploit trust in built-in system tools. By abusing PowerShell, registry persistence, and legitimate processes, attackers effectively weaponize the operating system itself.

What stands out is the disciplined engineering behind the attack chain. Each stage performs a narrowly defined role, reducing exposure while increasing reliability. The use of Donut for in-memory execution and Chaskey encryption reflects a deep understanding of both offensive tooling and defensive blind spots.

The modular .NET design also signals scalability. Attackers can adapt this framework to deploy ransomware, cryptominers, or espionage tools with minimal changes. Pulsar RAT is less about a single campaign and more about an evolving platform.

For defenders, this means endpoint security must evolve beyond static detection. Behavioral analysis, registry monitoring, and memory inspection are no longer optional—they are mandatory. Organizations relying solely on traditional antivirus are effectively blind to threats like Pulsar RAT.

Ultimately, Pulsar RAT reinforces a harsh reality: modern malware does not need zero-day exploits to succeed. It only needs patience, discipline, and a deep understanding of how legitimate systems work.

Fact Checker Results

✅ The attack chain accurately reflects multi-stage fileless malware behavior.
✅ Use of Donut and PowerShell aligns with observed real-world campaigns.
❌ Some infrastructure details may change rapidly as attackers rotate C2 servers.

Prediction

🔮 Fileless and in-memory malware will dominate Windows threat landscapes in the near future.
🔮 Abuse of legitimate cloud services for data exfiltration will continue to rise.

🔮 Defensive strategies will increasingly prioritize behavior over signatures.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon