Multi-Stage PureRAT Campaign Exploits PNG Files for Fileless Execution

What happened

Cybersecurity researchers have uncovered a novel multi-stage campaign deploying the PureRAT malware by embedding malicious portable executable (PE) payloads within standard PNG image files. This technique enables fileless execution, allowing attackers to bypass conventional antivirus and endpoint detection systems that typically scan executable files but not images.

The campaign initiates with a seemingly harmless PNG image, which actually contains a hidden executable payload. When processed by the victim's system, the payload is executed in-memory without writing files to disk, significantly complicating detection and forensic analysis. This multi-stage approach involves initial delivery via phishing or compromised websites, followed by in-memory execution of PureRAT, a remote access trojan known for its data exfiltration and persistence capabilities.

Confirmed facts

• Payload delivery method: Portable executable code injected into PNG image files.
• Execution technique: Fileless, in-memory execution of PureRAT malware.
• Attack stages: Multi-stage, beginning with PNG delivery, followed by in-memory payload extraction and execution.
• Malware capabilities: PureRAT enables remote control, data theft, and persistence.
• Detection challenges: Traditional antivirus solutions often miss these attacks due to the non-executable file format and fileless execution.

Who is affected

Organizations and individuals are at risk, especially those:

• Receiving unsolicited emails with image attachments.
• Visiting compromised or malicious websites hosting infected PNG files.
• Using outdated or unpatched endpoint security solutions.

Sectors with high-value data, such as finance, healthcare, and government, are particularly targeted due to the potential for sensitive data exfiltration.

What to do now

• Inspect email attachments carefully: Avoid opening unexpected PNG images, especially from unknown sources.
• Update endpoint protection: Ensure antivirus and endpoint detection and response (EDR) tools are updated to detect fileless threats.
• Implement network monitoring: Use behavioral analytics to detect unusual in-memory execution and network traffic indicative of RAT activity.
• Conduct threat hunting: Proactively search for signs of PureRAT or similar malware in your environment.
• Educate users: Train employees to recognize phishing attempts that may deliver these malicious PNG files.

How to secure yourself

• Apply software patches promptly: Keep operating systems and security software current to mitigate exploitation vectors.
• Use application whitelisting: Restrict execution to trusted applications to prevent unauthorized code execution.
• Deploy advanced threat protection: Utilize solutions capable of detecting fileless malware and anomalous memory behavior.
• Restrict macro and script execution: Many fileless attacks leverage scripts; disabling unnecessary scripting reduces risk.
• Backup critical data: Maintain regular backups to recover quickly in case of compromise.

2026 update

By 2026, fileless malware techniques have evolved further, with attackers increasingly leveraging legitimate file formats like images and documents to embed executable code. Security vendors have responded by integrating AI-driven behavioral analysis and memory forensics into endpoint protection platforms, improving detection rates of such stealthy attacks. Organizations adopting zero-trust architectures and continuous monitoring have seen significant reductions in successful fileless intrusions. However, attackers continue to innovate, underscoring the need for vigilance and layered defenses.

FAQ

What is PureRAT and why is it dangerous?

PureRAT is a remote access trojan that allows attackers to control infected systems remotely, steal data, and maintain persistence. Its stealthy execution methods make it particularly dangerous.

How can PNG files contain malware?

Attackers inject executable code into PNG images by exploiting the file format's structure, enabling the hidden payload to be executed in-memory without triggering traditional file-based detection.

Am I affected if I received a PNG image via email?

Not necessarily. Risk depends on whether the PNG contains the malicious payload and if your security systems detect or block the execution. Exercise caution with unsolicited attachments.

How does fileless execution evade antivirus?

Fileless malware runs in system memory without writing malicious files to disk, bypassing signature-based antivirus that scans files rather than memory.

What industries are most targeted by PureRAT campaigns?

High-value sectors like finance, healthcare, government, and critical infrastructure are common targets due to the sensitive data they hold.

Can traditional antivirus detect this attack?

Traditional antivirus may struggle due to the fileless nature and use of image files. Advanced endpoint detection and behavioral analysis are more effective.

What immediate steps should organizations take?

Update security tools, educate users on phishing, implement network monitoring, and conduct threat hunting for signs of PureRAT.

How can I verify if my system is infected?

Look for unusual network connections, unexpected in-memory processes, or alerts from advanced security tools. Professional incident response may be necessary.

What role does user training play in prevention?

User awareness reduces the risk of opening malicious attachments or clicking on phishing links, a common initial vector for this campaign.

How has the threat landscape changed in 2026?

Attackers increasingly use legitimate file formats and fileless techniques, prompting security solutions to adopt AI and behavioral analytics for detection.

Why this matters

This campaign exemplifies the growing sophistication of cyberattacks that evade traditional defenses by abusing trusted file formats and executing payloads in memory. The use of PNG images as malware carriers challenges conventional security assumptions, highlighting the critical need for advanced detection capabilities and user vigilance. Organizations ignoring these evolving tactics risk severe data breaches, operational disruption, and reputational damage.

Sources and corroboration

This analysis is based primarily on reporting from GBHackers News and SC Magazine, which detail the multi-stage PureRAT campaign leveraging PNG files for fileless execution. The findings align with broader industry observations of increasing fileless malware prevalence and novel payload delivery methods documented by multiple cybersecurity researchers.

• https://www.scworld.com/brief/multi-stage-purerat-campaign-harnesses-pngs-for-fileless-execution