New PureHVNC Malware Campaign Uses Google Forms to Lure Victims
Key Takeaways A new campaign is leveraging Google Forms to distribute the PureHVNC Remote Access Trojan (RAT). Threat actors are impersonating legitimate companies across various sectors, using fake...
Key Takeaways
- A new campaign is leveraging Google Forms to distribute the PureHVNC Remote Access Trojan (RAT).
- Threat actors are impersonating legitimate companies across various sectors, using fake job offers and business documents as lures.
- The infection chain involves DLL hijacking, obfuscated Python scripts, Donut shellcode, and process injection into
SearchUI.exe. - PureHVNC grants attackers extensive remote control, enabling data theft from browsers, crypto wallets, and messaging apps.
- Defenders should verify form sources, scrutinize unexpected offers, and monitor for specific malicious behaviors like unusual DLL loads and PowerShell task creation.
Cybersecurity researchers have uncovered a novel malware distribution campaign that ingeniously weaponizes Google Forms, a widely adopted and trusted online tool, to ensnare victims. This sophisticated operation primarily aims to disseminate the PureHVNC Remote Access Trojan (RAT) through a series of business-themed deceptions.
Table Of Content
The campaign stands out not for the novelty of the PureHVNC RAT itself, but for its cunning use of Google Forms as an initial vector. Attackers are crafting highly convincing forms, masquerading as legitimate recruitment processes, project briefs, or financial documentation, to lure unsuspecting professionals into downloading malicious payloads.
According to analysis by Malwarebytes, these threat actors are impersonating well-known entities across diverse industries, including finance, logistics, technology, sustainability, and energy. The fake forms meticulously incorporate real company names, logos, and branding elements, making them exceptionally difficult for an average user to identify as fraudulent.
Once a target submits their professional details via the deceptive Google Form, they are directed to download a business-themed ZIP archive. These malicious archives are hosted on various platforms such as Dropbox, filedn.com, and fshare.vn, with links often obscured by URL shorteners like tr.ee and goo.su. The campaign also leverages professional networking platforms like LinkedIn to reach individuals actively seeking employment or new business opportunities.
Examples of archive names, such as “Project_Information_Summary_2026.zip” and “{CompanyName}_GlobalLogistics_Ad_Strategy.zip,” highlight the meticulous planning and calculated deception employed by the attackers. These names are designed to appear innocuous and relevant to the business context established by the initial Google Form lure.
The PureHVNC Remote Access Trojan
PureHVNC is a modular .NET-based Remote Access Trojan belonging to the “Pure” malware family. Upon successful infection, it grants attackers extensive control over the compromised machine. This includes the ability to execute arbitrary commands, exfiltrate sensitive data from web browsers, cryptocurrency wallets, and messaging applications like Telegram and Foxmail, gather system hardware and software information, and deploy additional malicious plugins.
The RAT’s configuration data is base64-encoded and compressed using GZIP. The identified Command and Control (C2) server for this campaign is located at IP address 207.148.66.14, communicating over ports 56001, 56002, and 56003. The broad targeting across industries where document sharing is commonplace and external file exchange is routine makes it challenging for users to distinguish legitimate attachments from malicious ones.
Multi-Stage Infection Mechanism
The PureHVNC infection chain is meticulously crafted, featuring multiple layers designed to evade detection. Upon extracting the downloaded ZIP archive, victims encounter legitimate-looking job-related documents alongside a concealed executable and a malicious DLL file named msimg32.dll. This DLL leverages a technique known as DLL hijacking, tricking a legitimate application into loading the malicious code without triggering immediate security alerts.
Once active, the malicious DLL employs XOR encryption with the key “4B” to decrypt its strings. It also performs anti-analysis checks using functions like IsDebuggerPresent() and time64() to detect sandbox or debugging environments. If such activity is identified, the malware displays an error message stating “This software has expired or debugger detected” and terminates its execution.
Following these checks, the DLL removes itself from the disk and drops a decoy PDF document to keep the victim occupied while establishing persistence. This is achieved by creating a registry entry at CurrentVersionRunMiroupdate.
In the subsequent stage, a hidden archive named final.zip is extracted into a randomly named folder within the ProgramData directory. An obfuscated Python script, typically named config.log or image.mp3 depending on the variant, then decodes and launches Donut shellcode directly into memory. This shellcode is responsible for injecting the PureHVNC RAT into SearchUI.exe, a legitimate Windows process, to further mask its presence.
To maintain persistent access, the malware creates a scheduled task using a base64-encoded PowerShell command. This task is configured to run with the highest possible privileges, provided administrator rights are available. The presence of the mutex “Rluukgz” on the compromised host serves as a unique identifier for the malware’s activity.
What You Should Do
- Verify Sources: Always independently verify the legitimacy of any Google Form before submitting personal or professional information, especially if it relates to unexpected job offers or project requests. Cross-reference through official company websites or known contacts.
- Exercise Caution with Links: Be highly suspicious of links hidden behind URL shorteners. Use online tools to preview the full URL before clicking to understand the true destination.
- Scrutinize Attachments: Treat any unsolicited ZIP files or documents, even those from seemingly legitimate sources, with extreme caution. Enable “show file extensions” in Windows to help identify potentially malicious executables disguised as documents.
- Monitor for Anomalous Behavior: Security teams should implement and monitor for indicators of compromise, including unusual DLL loads, the creation of encoded PowerShell scheduled tasks, and process injection into legitimate Windows processes like
SearchUI.exe. - Strengthen Endpoint Defenses: Ensure endpoint detection and response (EDR) solutions are up-to-date and configured to flag suspicious activities, such as Python processes executing from unusual locations within ProgramData directories.
- Educate Users: Conduct regular cybersecurity awareness training for employees, emphasizing the tactics used in phishing and social engineering campaigns, especially those leveraging familiar tools like Google Forms and LinkedIn.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.