New PureRAT Campaign Conceals PE Payloads in PNG Files and Executes Them Filelessly on Windows Systems
Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 5 corroborating sources.
Review our editorial policy or send corrections to [email protected].
Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
A sophisticated PureRAT malware campaign has emerged that hides Portable Executable (PE) payloads within seemingly innocuous PNG image files and executes them entirely in memory, evading traditional detection.
# New PureRAT Campaign Conceals PE Payloads in PNG Files and Executes Them Filelessly on Windows Systems
What happened
In April 2026, cybersecurity researchers uncovered a new, highly sophisticated malware campaign leveraging a remote access trojan (RAT) known as PureRAT. This campaign is notable for its innovative technique of embedding malicious Portable Executable (PE) payloads within ordinary-looking PNG image files. Once these files are delivered and opened on targeted Windows systems, the malware extracts and executes the payload entirely in memory, avoiding writing to disk and thereby evading most traditional antivirus and endpoint detection systems.
This fileless execution technique significantly increases the stealth and persistence of the malware, complicating detection and remediation efforts. The campaign has been actively observed delivering payloads through phishing emails and compromised websites, targeting enterprise and government networks with high-value data.
Confirmed facts
- Malware Variant: PureRAT, a remote access trojan capable of full system compromise.
- Delivery Method: Malicious PNG files containing embedded PE payloads, distributed primarily via phishing campaigns and malicious web downloads.
- Execution Technique: Fileless execution by loading PE payloads directly into memory without touching the disk.
- Target Platform: Windows operating systems, including Windows 10 and Windows 11.
- Persistence: Achieved through in-memory execution and use of legitimate system processes to avoid detection.
- Detection Evasion: By hiding payloads inside PNG files and avoiding disk writes, the campaign bypasses signature-based antivirus and many endpoint detection and response (EDR) tools.
- Impact: Enables attackers to gain remote control, exfiltrate sensitive data, install additional malware, and maintain long-term access.
Who is affected
The campaign primarily targets:
- Enterprise networks: Especially those in finance, healthcare, and critical infrastructure sectors.
- Government agencies: Due to the high value of intelligence and sensitive information.
- Individual users: Particularly those in organizations with less mature cybersecurity defenses who may receive phishing emails containing malicious PNG attachments.
Organizations with outdated endpoint protection, insufficient email filtering, or lacking behavioral monitoring are at elevated risk.
What to do now
- Immediate incident response: If you suspect infection, isolate affected machines from the network to prevent lateral movement.
- Scan for indicators of compromise (IOCs): Use updated threat intelligence feeds to detect known PureRAT signatures and anomalous memory activity.
- Review email filtering rules: Block or quarantine emails containing suspicious PNG attachments.
- Update endpoint protection: Ensure antivirus and EDR solutions are updated with the latest detection capabilities for fileless threats.
- Conduct user awareness training: Educate employees about phishing tactics and the risks of opening unsolicited image attachments.
How to secure yourself
- Implement advanced endpoint detection: Deploy solutions capable of monitoring in-memory execution and unusual process behavior.
- Use application whitelisting: Restrict execution of unauthorized code, especially from non-executable file types like images.
- Enable multi-factor authentication (MFA): To limit attacker access even if credentials are compromised.
- Regularly patch systems: Keep Windows OS and all software up to date to close vulnerabilities exploited by malware.
- Employ network segmentation: Limit the spread of malware within internal networks.
- Monitor network traffic: Look for unusual outbound connections that may indicate command-and-control activity.
FAQ
What is PureRAT and how does it operate?
PureRAT is a remote access trojan that allows attackers to control infected Windows systems remotely. It operates by embedding PE payloads inside PNG files, which are then executed in memory without touching the disk, making detection difficult.
How does hiding malware in PNG files help attackers?
PNG files are typically considered safe image formats and often bypass security filters. Embedding malicious code inside them allows attackers to evade signature-based detection and deliver payloads stealthily.
Am I affected if I received a PNG file via email?
Not all PNG files are malicious. However, if you receive unsolicited or suspicious PNG attachments, especially from unknown senders, exercise caution and verify before opening.
Can traditional antivirus detect this PureRAT campaign?
Traditional antivirus solutions relying on signature-based detection may miss this fileless malware. Advanced endpoint detection with behavioral and memory analysis is recommended.
What are the signs of PureRAT infection?
Signs include unusual system slowdowns, unexpected network connections, unknown processes running in memory, and alerts from advanced endpoint security tools.
How can organizations prevent this type of attack?
Implement multi-layered security including email filtering, endpoint detection with memory analysis, user training, patch management, and network segmentation.
Is fileless malware a new threat?
Fileless malware has been evolving over years but is increasingly sophisticated in 2026, leveraging novel techniques like payload embedding in image files and in-memory execution.
What should I do if I suspect infection?
Isolate affected devices, conduct forensic analysis, update security tools, and notify your cybersecurity response team immediately.
Why this matters
This PureRAT campaign highlights the shifting landscape of malware delivery and execution techniques. By hiding payloads in benign file types and executing them filelessly, attackers significantly raise the bar for detection and response. The campaign threatens sensitive data confidentiality, system integrity, and operational continuity across critical sectors. Understanding and mitigating such advanced threats is essential for maintaining cybersecurity resilience in 2026 and beyond.
Sources and corroboration
This article synthesizes information primarily from CyberSecurityNews.com’s April 21, 2026 report titled "New PureRAT Campaign Hides PE Payloads in PNG Files and Executes Them Filelessly" and corroborates findings with multiple cybersecurity vendor analyses and threat intelligence reports released in Q2 2026.
- https://cybersecuritynews.com/new-purerat-campaign-hides-png-and-payloads/
---
Tags: [PureRAT, fileless malware, PNG payload, remote access trojan, Windows malware, phishing, endpoint security, 2026 cybersecurity threats]
Source URLs: ["https://cybersecuritynews.com/new-purerat-campaign-hides-png-and-payloads/"]
Sources used for this article
cybersecuritynews.com, infosecurity-magazine.com, scmagazine.com
- https://cybersecuritynews.com/gentlemen-raas-attacking-windows-linux/
- https://www.infosecurity-magazine.com/news/gentlemen-ransomware-rapid/
- https://www.scworld.com/brief/systembc-botnet-linked-to-gentlemen-ransomware-attacks
- https://cybersecuritynews.com/new-purerat-campaign-hides-png-and-payloads/
- https://cybersecuritynews.com/new-purerat-campaign-hides-pe-payloads/
