Pulsar RAT: The Stealthy Malware Redefining Remote Access Threats
In the ever-evolving landscape of cyber threats, a new and sophisticated malware known as Pulsar RAT has emerged, posing significant risks to Windows systems worldwide. As a derivative of the open-source Quasar RAT, Pulsar introduces advanced features that enable attackers to maintain undetectable remote access through innovative evasion techniques.
Technical Architecture and Capabilities
Pulsar RAT operates on a client-server model, utilizing TLS-encrypted communication channels and the MessagePack binary protocol to ensure efficient and secure command transmission. To establish persistence within infected systems, it employs User Account Control (UAC) bypass mechanisms and creates scheduled tasks that execute at system logon with elevated privileges.
What sets Pulsar apart from its predecessors is its comprehensive suite of malicious functionalities:
– Keylogging: Records every keystroke made by the user, capturing sensitive information such as passwords and personal messages.
– Clipboard Hijacking: Monitors and manipulates clipboard content, particularly targeting cryptocurrency wallet addresses to redirect transactions.
– Credential Theft: Utilizes the integrated Kematian Grabber module to steal login credentials from various applications.
– File Management: Allows attackers to browse, upload, and download files from the compromised system.
– Remote Shell Access: Enables the execution of commands on the infected machine, granting full control to the attacker.
– Data Exfiltration: Collects and transmits stolen data to attacker-controlled servers without the user’s knowledge.
To further obfuscate its operations, Pulsar retrieves its command-and-control (C2) configuration from public pastebin sites. It decrypts payloads using embedded cryptographic keys to obtain C2 server addresses, adding a layer of operational flexibility while minimizing direct exposure of its infrastructure.
Advanced Evasion Techniques
Pulsar RAT employs a multi-layered anti-analysis strategy to evade detection:
– Anti-Virtualization Checks: The malware inspects disk labels for indicators of virtual machines, such as QEMU HARDDISK and common hypervisor signatures. If a virtual environment is detected, execution halts immediately, preventing analysis within sandboxed environments.
– Anti-Debugging Protections: Incorporates mechanisms that obstruct security tools from examining its operations, complicating efforts to reverse-engineer the malware.
– Memory-Only Execution: Perhaps the most significant innovation, Pulsar loads its payloads directly into memory using .NET reflection, avoiding writing files to disk. This fileless approach bypasses traditional disk-based security monitoring, leaving minimal forensic artifacts and reducing visibility during incident response.
– Code Injection: Executes within legitimate processes, rendering detection based on process names ineffective and further concealing its presence.
Distribution Methods and Attack Chains
Recent analyses have revealed that Pulsar RAT is distributed through sophisticated supply chain compromises. A notable example from 2025 involved malicious npm packages named soldiers and @mediawave/lib, which employed seven layers of obfuscation techniques, including Unicode variable encoding, hexadecimal conversion, Base64 encoding, and steganography embedded in PNG images. These packages, once installed, automatically delivered the Pulsar payload to developers, achieving hundreds of weekly downloads before detection.
Sandbox analyses have detailed typical deployment sequences:
1. Execution of Malicious BAT Files: These files perform UAC bypass operations by clearing DelegateExecute registry values and injecting commands into ms-settings registry keys.
2. Elevation of Privileges: The mechanism launches `computerdefaults.exe` with elevated privileges, facilitating the creation of scheduled tasks configured for persistence at every user logon.
Pulsar primarily targets Windows users and organizations lacking advanced endpoint detection and response (EDR) solutions, with a particular focus on developers through compromised development tools and libraries.
Mitigation Strategies
To defend against the sophisticated tactics employed by Pulsar RAT, organizations and individuals should implement the following measures:
– Regular Software Audits: Conduct thorough reviews of all installed software and libraries to identify and remove any unauthorized or suspicious components.
– Enhanced Endpoint Security: Deploy advanced EDR solutions capable of detecting fileless malware and monitoring for unusual memory activities.
– User Education: Train users, especially developers, to recognize and avoid downloading packages from unverified sources.
– Network Monitoring: Implement network traffic analysis to detect anomalous communications that may indicate C2 activities.
– Regular Updates: Keep all systems and security tools updated to ensure the latest protections against emerging threats.
By adopting a proactive and layered security approach, organizations can enhance their resilience against advanced threats like Pulsar RAT, safeguarding their systems and sensitive data from unauthorized access and potential exploitation.
