Cyberwarzone

What is PureHVNC?

by

Elles De Yeager
in
Summarize with:



PureHVNC is a remote‑access trojan (RAT) used in targeted campaigns where a staged loader, known as Hijack Loader, delivers the payload through malicious document attachments and establishes command‑and‑control.

The technical analysis published on 28 October 2025 shows attackers using Spanish‑language, judiciary‑themed lures and SVG attachments that trigger a multi‑stage loader before retrieving PureHVNC. Cyberwarzone’s coverage of the campaign compiles those findings and the observable indicators Hijack Loader delivers PureHVNC.

In observed infections the sequence is: a renamed javaw.exe launches a malicious JLI.dll, which loads MSTH7EN.dll; the loader assembles encrypted payload containers (Sumhand.zam, Plagkeg.zk), decrypts shellcode chunks and finally runs the PureHVNC module. Investigators reported a DuckDNS subdomain used for C2 traffic.

The loader is modular. Its configuration lists module names, shellcode offsets and process‑name hashes that can delay execution. Samples include module indicators such as AVDATA and LauncherLdr64; the malware performs DLL hollowing, uses memory protections to write and execute shellcode, and reconstructs encrypted chunks with XOR and LZNT1 decompression.

Further, defenders should focus on the delivery and behavior patterns rather than only static signatures. Recommended actions:

  • Block, sandbox or convert SVG attachments and treat unexpected external document attachments as high risk.
  • Hunt for renamed binaries (for example: a judiciary‑themed 02 BOLETA FISCAL.exe running as javaw.exe) launched from user folders.
  • Monitor for DLL side‑loading and unusual LoadLibrary or VirtualProtect calls that result in writable, executable code in standard DLLs.
  • Alert on creation of Plagkeg.zk or Sumhand.zam files, unrecognized scheduled tasks, and outbound queries to DuckDNS subdomains.
  • Ingest published module hashes into YARA/EDR rules only when those hashes are provided by primary technical reporting.

It’s essential to ground detection and response in the published technical report and to cross‑reference related Cyberwarzone coverage of targeted phishing and supply‑chain risks for context Phishing Campaign Targets Travel Websites.

So, “The human element remains central,” a reminder that social engineering and access to specialized tooling are persistent drivers behind these campaigns.