This Stealthy Windows RAT Holds Live Conversations with Its Operators

The rise of fileless malware has reshaped threat actor tactics, with adversaries leveraging legitimate Windows components to hide malicious activity. Point Wild’s discovery of the Pulsar RAT illustrates how attackers combine living‑off‑the‑land binaries, PowerShell, and the open‑source Donut framework to create a fully memory‑resident payload. By avoiding disk writes and using heavily obfuscated .NET code, the RAT sidesteps static analysis tools, while its modular architecture enables rapid feature updates without redeploying new binaries.

Technical analysis reveals a multi‑stage chain that begins with a modest batch script establishing persistence through a per‑user Registry Run key. The script spawns a PowerShell loader that decodes shellcode generated from a .NET assembly, then injects it directly into a running process. This in‑memory execution model, coupled with anti‑VM, anti‑debugging, and process‑injection detection mechanisms, hampers conventional sandboxing and forensic techniques. The RAT’s live command interface allows operators to conduct reconnaissance, manipulate files, and adjust persistence on the fly, while a parallel stealer component harvests credentials and system data for exfiltration via Discord webhooks and Telegram bots.

For defenders, the campaign underscores the necessity of shifting from file‑centric detection to behavior‑based monitoring. Security teams should prioritize telemetry that flags anomalous PowerShell activity, unexpected shellcode injection, and unusual Registry Run entries. Deploying memory‑analysis tools and endpoint detection and response (EDR) solutions capable of real‑time process inspection can surface the RAT’s interactive sessions before data loss occurs. As threat actors continue to refine in‑memory techniques, enterprises must invest in proactive threat hunting and rapid isolation capabilities to mitigate the elevated risk posed by stealthy, live‑control malware.