Malware

Pulsar RAT

Pulsar RAT is a Windows-focused open-source .NET remote access trojan, widely described as a derivative of Quasar RAT and observed in active multi-stage malware campaigns and software supply-chain attacks. Reported delivery vectors include malicious npm packages such as buildrunner-dev, fake installer/MSI packages such as haunt.msi, obfuscated batch and PowerShell loader chains, and steganographic retrieval of payloads from PNG images. In multiple reports, the malware is executed primarily in memory using Donut-generated shellcode, reflective .NET loading, process injection into legitimate processes such as explorer.exe, and watchdog/process-migration logic to maintain execution while minimizing disk artifacts.

High-confidence capabilities described across the reporting include remote access and command execution, credential theft, keylogging, screen capture, webcam and microphone capture, browser credential and profile theft, file management, remote shell access, and data exfiltration. Specific theft targets mentioned include Chrome, Edge, Brave, Opera, and Firefox browser data; Firefox logins.json via PK11SDR_Decrypt; cryptocurrency wallets and clipboard hijacking for BTC, ETH, XMR, SOL, LTC, XRP, TRX, and BCH formats; VPN configurations; gaming accounts; messaging tokens; and developer-related secrets in supply-chain scenarios. Some reporting also describes hidden VNC/HVNC-style covert access, live chat interaction with victims, and use alongside Stealerv37.

Persistence and evasion features reported include HKCU\Software\Microsoft\Windows\CurrentVersion\Run entries, scheduled tasks, UAC-bypass techniques including fodhelper.exe and ms-settings/computerdefaults-style abuse, anti-VM checks for VMware, VirtualBox, QEMU, Parallels, and Cuckoo artifacts, and anti-debugging against tools including x32dbg, x64dbg, WinDbg, OllyDbg, dnSpy, Immunity Debugger, and IDA. One detailed analysis of Pulsar RAT v2.4.5.0 described a loader masquerading as cfgmgr.dll that decoded GUID-encoded shellcode from its .rdata section, then patched AMSI, disabled ETW, bypassed WLDP, loaded .NET runtime v4.0.30319, and reflectively loaded the Pulsar payload from memory. The malware has also been reported to use TLS-encrypted and MessagePack-based communications.

Observed infrastructure and indicators include command-and-control relayed through host.fedmenigga.workers.dev via Cloudflare Workers to backend 31.57.147.207, victim geolocation via ipwho.is, and another reported C2 indicator of 185.132.53.17:7800. Exfiltration channels mentioned in reporting include Discord webhooks, Telegram bots, and cloud-based messaging services. Associated activity has been linked to financially motivated campaigns, including Elastic Security Labs reporting GitHub-hosted payload delivery tied to an operation tracked as REF1695, and Breakglass Intelligence assessing a sustained multi-tool campaign using Pulsar RAT MaaS since at least February 2026. Targeting described in the content is primarily Windows users, including developers via npm/package ecosystem abuse and organizations lacking mature endpoint detection.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

40 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1195.001Compromise Software Dependencies and Development ToolsEvidence1

"Malware found in NPM packages with 1 million weekly downloads"; "Complex npm attack uses 7-plus layers of obfuscation to spread Pulsar RAT"; "Fake npm utilities remotely delete entire app directories"

T1566PhishingEvidence1

MITRE ATT&CK TTPs Technique ID Name Implementation T1566 Phishing MSI delivered as social engineering lure

Execution

3 techniques

T1059.001PowerShellEvidence1

The decoded PowerShell script functions as an advanced in-memory loader... launches it using a hidden PowerShell instance with execution policy bypass enabled

T1106Native APIEvidence1

...exposes native Windows API functions, such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

T1204.002Malicious FileEvidence1

[2] EXECUTION User runs MSI → Windows Installer executes CustomAction

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence2

Persistence Software\Microsoft\Windows\CurrentVersion\Run

Privilege Escalation

4 techniques

T1055Process InjectionEvidence1

...injects the decrypted shellcode into a legitimate process and spawns a remote thread to begin execution.

T1055.004Asynchronous Procedure CallEvidence1

T1055.004 Process Injection: APC ZwQueueApcThread

T1055.012Process HollowingEvidence1

Remote execution <ExecuteViaRunPE>b__0 (process hollowing)

T1547.001Registry Run Keys / Startup FolderEvidence2

Persistence Software\Microsoft\Windows\CurrentVersion\Run

Stealth

15 techniques

T1027Obfuscated Files or InformationEvidence2

GUID-encoded shellcode — 973 KB of x64 shellcode stored as 60,820 Windows GUIDs in the PE .rdata section, evading signature-based detection

T1027.011Fileless StorageEvidence1

T1027.011 Fileless Storage Shellcode decoded into memory

T1027.013Encrypted/Encoded FileEvidence1

“extracts an embedded Base64-encoded PowerShell payload…” and “contains an encrypted byte array that is decrypted at runtime using a bitwise XOR routine”

T1036.005Match Legitimate Resource Name or LocationEvidence1

Exports Name cfgmgr.dll (Windows Configuration Manager — DLL hijack masquerade)

T1055Process InjectionEvidence1

...injects the decrypted shellcode into a legitimate process and spawns a remote thread to begin execution.

T1055.004Asynchronous Procedure CallEvidence1

T1055.004 Process Injection: APC ZwQueueApcThread

T1055.012Process HollowingEvidence1

Remote execution <ExecuteViaRunPE>b__0 (process hollowing)

T1070.004File DeletionEvidence1

“Defense Evasion T1070.004 Indicator Removal: File Deletion” and “writes it temporarily to disk… and then deletes the script.”

T1140Deobfuscate/Decode Files or InformationEvidence1

T1140 Deobfuscate/Decode Files GUID-to-bytes decoding at runtime

T1218.007MsiexecEvidence1

T1218.007 Msiexec MSI installer as execution vehicle

T1218.011Rundll32Evidence1

rundll32.exe "<temp>\cfgmgr.dll",nGOYQVFxRyF

T1480Execution GuardrailsEvidence1

T1480 Execution Guardrails Debugger detection + sleep delays

T1497Virtualization/Sandbox EvasionEvidence1

Anti-VM CheckForVMwareAndVirtualBox , VMware/VirtualBox/QEMU/Parallels strings

T1620Reflective Code LoadingEvidence2

The shellcode then reflectively loads an embedded .NET PE (the Pulsar RAT payload) from position 0x99b41 in the decoded shellcode, using a custom in-memory PE loader.

T1622Debugger EvasionEvidence1

Anti-debug IsDebuggerPresent , CheckRemoteDebuggerPresent

Credential Access

3 techniques

T1056.001KeyloggingEvidence1

Category Evidence Keylogging Gma.System.MouseKeyHook , KeyloggerService

T1539Steal Web Session CookieEvidence1

T1539 Steal Web Session Cookie Browser profile exfiltration

T1555.003Credentials from Web BrowsersEvidence1

T1555.003 Web Browser Credentials Chrome/Edge/Brave/Opera/Firefox

Discovery

5 techniques

T1012Query RegistryEvidence1

T1012 Query Registry SOFTWARE\Microsoft\Windows NT\CurrentVersion

T1057Process DiscoveryEvidence2

T1057 Process Discovery WMI Win32_BIOS , Win32_DiskDrive

T1082System Information DiscoveryEvidence2

T1082 System Information Discovery OS version, hardware, CLR version

T1497Virtualization/Sandbox EvasionEvidence1

Anti-VM CheckForVMwareAndVirtualBox , VMware/VirtualBox/QEMU/Parallels strings

T1622Debugger EvasionEvidence1

Anti-debug IsDebuggerPresent , CheckRemoteDebuggerPresent

Collection

6 techniques

T1056.001KeyloggingEvidence1

Category Evidence Keylogging Gma.System.MouseKeyHook , KeyloggerService

T1113Screen CaptureEvidence2

Category Evidence Screen capture SharpDX , SharpDX.Direct3D11 , SharpDX.DXGI , SharpDX.D3DCompiler

T1115Clipboard DataEvidence1

Clipboard hijack : Monitors clipboard continuously; replaces any recognized crypto address with attacker's address

T1123Audio CaptureEvidence1

Category Evidence Audio NAudio.Core , NAudio.Wasapi , Error stopping audio

T1125Video CaptureEvidence1

Category Evidence Webcam AForge.Video , AForge.Video.DirectShow , FilterInfoCollection

T1185Browser Session HijackingEvidence1

Browser theft PK11SDR_Decrypt (Firefox), logins (Firefox logins.json), Cloning browser profile

Command and Control

5 techniques

T1071.001Web ProtocolsEvidence2

C2 connection: HTTPS → host.fedmenigga.workers.dev:443

T1090.001Internal ProxyEvidence1

Cloudflare Worker relay → 31.57.147.207:? (backend)

T1090.004Domain FrontingEvidence1

Cloudflare Workers C2 relay — host.fedmenigga.workers.dev proxies all C2 traffic through Cloudflare's CDN

T1105Ingress Tool TransferEvidence2

The .NET malware deployed by buildrunner-dev is Pulsar RAT, an open-source RAT delivered via a PNG image hosted on i.ibb[.]co.

T1219Remote Access ToolsEvidence2

"...obfuscation to spread Pulsar RAT"

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

Data exfiltration : All captured data (keystrokes, screenshots, credentials, clipboard) sent to C2 operator in real-time

Other

2 techniques

T1562.001Disable or Modify ToolsEvidence2

1. AMSI Bypass: AmsiInitialize AmsiScanBuffer AmsiScanString The shellcode patches AMSI functions in memory to disable antivirus scanning of script content.

T1562.006Indicator BlockingEvidence1

2. ETW Bypass: EtwEventWrite EtwEventUnregister Event Tracing for Windows (used by EDRs) is disabled by overwriting the function prologue.

INDICATORS OF COMPROMISE

IOCs tracked for this family

28 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

21 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

7 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app1 month ago

ip.v4●●●●●●●●●●●●View more in app3 months ago

domain●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app

elastic security labsNews

Mar 31, 2026

Fake Installers to Monero: A Multi-Tool Mining Operation - Elastic Security Labs

A RAT family identified as one of the payloads hosted and delivered by the operator in this campaign cluster.

breakglass intelNews

Mar 14, 2026

Pulsar RAT v2.4.5 - MSI Dropper with GUID-Encoded Shellcode & Cloudflare Workers C2 - Breakglass Intelligence - Breakglass Intelligence

An open-source .NET remote access trojan delivered by haunt.msi. It supports keylogging, screen capture/streaming, webcam and audio capture, browser credential theft, browser profile cloning, remote chat, process injection, persistence, anti-VM/anti-debug checks, IP geolocation, and cryptocurrency clipboard hijacking. The sample uses a custom loader with GUID-encoded shellcode, in-memory CLR hosting, and AMSI/ETW/WLDP bypasses before reflectively loading the Pulsar RAT payload.

the hacker newsNews

Feb 23, 2026

Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

Open-source .NET remote access trojan delivered by the malicious npm package buildrunner-dev.

risky biz rssNews

Feb 23, 2026

AI-driven hacking campaign breaches 600+ Fortinet devices

Remote access trojan delivered via malicious npm packages (including via steganographic payload retrieval) to compromise developer systems.

+9 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching28

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping40

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.