HackWatch
! High riskMW Malware

New PureRAT Campaign Conceals PE Payloads in PNG Files and Executes Them Filelessly on Windows Systems

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
New PureRAT Campaign Conceals PE Payloads in PNG Files and Executes Them Filelessly on Windows Systems - HackWatch malware alert image
HackWatch malware alert image for: New PureRAT Campaign Conceals PE Payloads in PNG Files and Executes Them Filelessly on Windows Systems
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 21, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 5

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 5 corroborating sources.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A sophisticated PureRAT malware campaign has emerged that hides Portable Executable (PE) payloads within seemingly innocuous PNG image files and executes them entirely in memory, evading traditional detection.

# New PureRAT Campaign Conceals PE Payloads in PNG Files and Executes Them Filelessly on Windows Systems

What happened

In April 2026, cybersecurity researchers uncovered a new, highly sophisticated malware campaign leveraging a remote access trojan (RAT) known as PureRAT. This campaign is notable for its innovative technique of embedding malicious Portable Executable (PE) payloads within ordinary-looking PNG image files. Once these files are delivered and opened on targeted Windows systems, the malware extracts and executes the payload entirely in memory, avoiding writing to disk and thereby evading most traditional antivirus and endpoint detection systems.

This fileless execution technique significantly increases the stealth and persistence of the malware, complicating detection and remediation efforts. The campaign has been actively observed delivering payloads through phishing emails and compromised websites, targeting enterprise and government networks with high-value data.

Confirmed facts

  • Malware Variant: PureRAT, a remote access trojan capable of full system compromise.
  • Delivery Method: Malicious PNG files containing embedded PE payloads, distributed primarily via phishing campaigns and malicious web downloads.
  • Execution Technique: Fileless execution by loading PE payloads directly into memory without touching the disk.
  • Target Platform: Windows operating systems, including Windows 10 and Windows 11.
  • Persistence: Achieved through in-memory execution and use of legitimate system processes to avoid detection.
  • Detection Evasion: By hiding payloads inside PNG files and avoiding disk writes, the campaign bypasses signature-based antivirus and many endpoint detection and response (EDR) tools.
  • Impact: Enables attackers to gain remote control, exfiltrate sensitive data, install additional malware, and maintain long-term access.

Who is affected

The campaign primarily targets:

  • Enterprise networks: Especially those in finance, healthcare, and critical infrastructure sectors.
  • Government agencies: Due to the high value of intelligence and sensitive information.
  • Individual users: Particularly those in organizations with less mature cybersecurity defenses who may receive phishing emails containing malicious PNG attachments.

Organizations with outdated endpoint protection, insufficient email filtering, or lacking behavioral monitoring are at elevated risk.

What to do now

  • Immediate incident response: If you suspect infection, isolate affected machines from the network to prevent lateral movement.
  • Scan for indicators of compromise (IOCs): Use updated threat intelligence feeds to detect known PureRAT signatures and anomalous memory activity.
  • Review email filtering rules: Block or quarantine emails containing suspicious PNG attachments.
  • Update endpoint protection: Ensure antivirus and EDR solutions are updated with the latest detection capabilities for fileless threats.
  • Conduct user awareness training: Educate employees about phishing tactics and the risks of opening unsolicited image attachments.

How to secure yourself

  • Implement advanced endpoint detection: Deploy solutions capable of monitoring in-memory execution and unusual process behavior.
  • Use application whitelisting: Restrict execution of unauthorized code, especially from non-executable file types like images.
  • Enable multi-factor authentication (MFA): To limit attacker access even if credentials are compromised.
  • Regularly patch systems: Keep Windows OS and all software up to date to close vulnerabilities exploited by malware.
  • Employ network segmentation: Limit the spread of malware within internal networks.
  • Monitor network traffic: Look for unusual outbound connections that may indicate command-and-control activity.

FAQ

What is PureRAT and how does it operate?

PureRAT is a remote access trojan that allows attackers to control infected Windows systems remotely. It operates by embedding PE payloads inside PNG files, which are then executed in memory without touching the disk, making detection difficult.

How does hiding malware in PNG files help attackers?

PNG files are typically considered safe image formats and often bypass security filters. Embedding malicious code inside them allows attackers to evade signature-based detection and deliver payloads stealthily.

Am I affected if I received a PNG file via email?

Not all PNG files are malicious. However, if you receive unsolicited or suspicious PNG attachments, especially from unknown senders, exercise caution and verify before opening.

Can traditional antivirus detect this PureRAT campaign?

Traditional antivirus solutions relying on signature-based detection may miss this fileless malware. Advanced endpoint detection with behavioral and memory analysis is recommended.

What are the signs of PureRAT infection?

Signs include unusual system slowdowns, unexpected network connections, unknown processes running in memory, and alerts from advanced endpoint security tools.

How can organizations prevent this type of attack?

Implement multi-layered security including email filtering, endpoint detection with memory analysis, user training, patch management, and network segmentation.

Is fileless malware a new threat?

Fileless malware has been evolving over years but is increasingly sophisticated in 2026, leveraging novel techniques like payload embedding in image files and in-memory execution.

What should I do if I suspect infection?

Isolate affected devices, conduct forensic analysis, update security tools, and notify your cybersecurity response team immediately.

Why this matters

This PureRAT campaign highlights the shifting landscape of malware delivery and execution techniques. By hiding payloads in benign file types and executing them filelessly, attackers significantly raise the bar for detection and response. The campaign threatens sensitive data confidentiality, system integrity, and operational continuity across critical sectors. Understanding and mitigating such advanced threats is essential for maintaining cybersecurity resilience in 2026 and beyond.

Sources and corroboration

This article synthesizes information primarily from CyberSecurityNews.com’s April 21, 2026 report titled "New PureRAT Campaign Hides PE Payloads in PNG Files and Executes Them Filelessly" and corroborates findings with multiple cybersecurity vendor analyses and threat intelligence reports released in Q2 2026.

  • https://cybersecuritynews.com/new-purerat-campaign-hides-png-and-payloads/

---

Tags: [PureRAT, fileless malware, PNG payload, remote access trojan, Windows malware, phishing, endpoint security, 2026 cybersecurity threats]

Source URLs: ["https://cybersecuritynews.com/new-purerat-campaign-hides-png-and-payloads/"]

Sources used for this article

cybersecuritynews.com, infosecurity-magazine.com, scmagazine.com

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this phishing alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "New PureRAT Campaign Conceals PE Payloads in PNG Files and Executes Them Filelessly on Windows Systems".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage