A growing cyberattack campaign is targeting Russian organizations with advanced malware delivered through weaponized RAR archive files. The campaign, which began in March 2023, has intensified sharply in 2025, with a fourfold increase in attacks during the first four months of the year compared to the same period in 2024.
The attacks focus on delivering two main malware tools: the PureRAT backdoor and the PureLogs stealer. These tools give hackers remote access and the ability to steal sensitive data from infected systems.
Attack Method
The main attack method involves spam emails that include either malicious RAR attachments or links to download them. These RAR files use fake accounting-related names like “doc,” “akt,” “sverka,” “buh,” and “oplata.”
Attackers often use double extensions like .pdf.rar to trick users into thinking the file is safe. The emails are designed to deceive employees in finance departments who commonly handle such documents.
Once opened, the RAR archive contains an executable file disguised as a PDF. Running the file starts a multi-stage infection chain meant to avoid detection while installing the malware.
Malware Details
The attack begins when the executable copies itself to the %AppData% folder as Task.exe. It then creates a startup script named Task.vbs with the following command:
CreateObject("WScript.Shell").Run """C:\Users\\AppData\Roaming\Task.exe"""
Next, the malware extracts and runs StilKrip.exe, while also decrypting another file, Ckcfb.exe. This file is injected into InstallUtil.exe, a legitimate Windows process, to avoid being flagged by antivirus tools.
The core backdoor functions are stored in a file named Spydgozoi.dll, which is also decrypted and executed during this stage.
Command and Control Communication
The malware connects to remote command and control (C2) servers using SSL encryption. Data is sent in protobuf format and compressed with gzip.
Each infected device sends detailed system information, including:
- Device ID
- Antivirus software installed
- Operating system version
- User and computer name
- System environment details
This data helps attackers adjust their strategies based on the target’s defenses.
Modular Threat Architecture
PureRAT is designed with a modular structure. This allows it to download new components depending on what the attackers want to achieve.
The malware is sold under a Malware-as-a-Service (MaaS) model. This means that many different threat actors can buy and use it, even without advanced skills. This model is one reason for the rapid increase in attacks.
Security Recommendations
Researchers at Securelist warn that the attackers behind this campaign continue to improve their tools. Organizations are advised to strengthen email security and train staff to spot suspicious attachments and naming tricks.
Keeping software updated and using endpoint protection that can detect and block unknown threats is also critical.
This campaign highlights how cybercriminals are using social engineering and technical sophistication to gain deep access to business networks. Ongoing awareness and layered security are essential to defend against these evolving threats.
