Cybersecurity experts have uncovered a new malware campaign that employs the PureCrypter malware loader to deploy a dangerous remote access trojan (RAT) known as DarkVision RAT. The campaign, observed by Zscaler ThreatLabz in July 2024, uses a multi-stage process to deliver this highly capable RAT.
“DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets,” explained security researcher Muhammed Irfan V A in an analysis. “It supports a wide range of commands and plugins, enabling additional features such as keylogging, remote access, password theft, audio recording, and screen captures.”
PureCrypter, which first surfaced in 2022, is a widely available malware loader sold on a subscription basis. It enables cybercriminals to distribute various types of malware, including information stealers, RATs, and ransomware. The specific method used to initially deliver PureCrypter is still unclear. However, once deployed, it initiates a .NET executable responsible for decrypting and launching the open-source Donut loader, which then activates PureCrypter. This leads to the unpacking and installation of DarkVision RAT on the target system.
DarkVision RAT also establishes persistence by setting up scheduled tasks using the ITaskService COM interface, adding autorun keys, and creating a batch script. This script ensures the RAT executable is launched every time the system starts, with a shortcut placed in the Windows startup folder.
DarkVision RAT, first detected in 2020, is offered at a low price on a clearnet website—just $60 for a one-time payment—making it appealing to both advanced threat actors and less experienced cybercriminals. Developed in C++ and assembly (ASM) for optimal performance, DarkVision RAT is packed with features like process injection, remote shell, reverse proxy, clipboard manipulation, keylogging, screenshot capture, and cookie and password recovery from web browsers.
In addition, the RAT collects system information and can receive plugins from a C2 server, expanding its capabilities even further. This makes DarkVision RAT a highly versatile and dangerous tool in the hands of attackers, giving them full control over compromised Windows systems.
“DarkVision RAT is a potent tool for cybercriminals,” Zscaler said. “Its low cost and wide range of malicious features have made it increasingly popular among attackers.”
The disclosure of this campaign comes alongside the emergence of another malware loader, called Pronsis Loader. This new loader has been used in campaigns distributing Lumma Stealer and Latrodectus malware since November 2023.
“Pronsis Loader is similar to the D3F@ck Loader,” noted Trustwave researchers Cris Tomboc and King Orande. “Both loaders use JPHP-compiled executables, but they differ in their installation methods. D3F@ck Loader uses the Inno Setup Installer, while Pronsis Loader relies on the Nullsoft Scriptable Install System (NSIS).”
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067