What happened
Pulsar RAT, a derivative of the open-source Quasar RAT, has been observed using memory-only execution and hidden virtual network computing (HVNC) to maintain stealthy remote access on compromised Windows systems. The malware combines TLS-encrypted communications using the MessagePack protocol, UNC bypass tactics like UAC bypass and scheduled task creation for persistence, and advanced evasion features including anti-virtualization, anti-debugging, and fileless execution via .NET reflection. Pulsar operators use public pastebin and supply-chain compromises via malicious npm packages to retrieve command-and-control configuration dynamically. Its capabilities include keylogging, credential theft, clipboard hijacking, file management, remote shell access, and data exfiltration back to attacker-controlled infrastructure.Â
Who is affected
Windows users and organizations lacking advanced endpoint detection are at direct risk; developers and systems exposed to malicious open-source packages are also implicated.
Why CISOs should care
This RAT’s stealth features complicate detection and incident response, increasing the likelihood of prolonged unauthorized access, data theft, and lateral movement within enterprise networks.
3 practical actions
- Harden endpoint detection: Deploy EDR solutions tuned for memory-only and HVNC behavior.
- Vet open-source dependencies: Audit and restrict use of third-party packages in development pipelines.
- Implement code signing policies: Prevent unauthorized or unsigned binaries from executing in production.