Check Point Research (CPR) has uncovered new intelligence on PureCoder, the developer of one of today’s fastest-growing malware ecosystems, responsible for powering global cybercrime campaigns, who has been developing, selling and updating malware since 2021. Our latest forensic analysis reveals not just how PureCoder’s tools like PureHVNC RAT, PureRAT, and PureCrypter are being used, but also directly ties their infrastructure to GitHub repositories, exposing rare details about the developer’s operational practices and timezone of activity.
This study represents one of the most detailed dissections of the Pure malware family to date. It underscores how cybercrime has matured into a professional, service-based industry, where attackers combine PureCoder’s malware with tactics such as fake job phishing (ClickFix), Rust loaders, and Sliver implants to infiltrate organizations, steal sensitive data, and weaponize compromised systems.
The Pure Picture
- Developer Attribution: For the first time, GitHub repositories have been directly linked to PureCoder, shedding light on their development infrastructure and UTC+0300 timezone, highlighting how legitimate platforms are exploited by threat actors.
- Malware Ecosystem: PureCoder has built a suite of tools – PureHVNC RAT, PureRAT, PureCrypter, PureLogs – enabling hidden remote control, credential data theft, and evasion of antivirus software, sold in underground forums since 2021.
- Diving into Details: Check Point Research tracked an eight-day intrusion beginning with fake job lures (ClickFix), escalating to persistence, credential theft, and deployment of the Sliver C2 framework.
- Global reach: Attacks tied to PureCoder impacted organizations across the U.S., Europe, and Asia-Pacific, targeting industries such as finance, education, healthcare, and telecoms
- Threat Growth: Use of PureCoder tools has surged in 2025, increasingly distributed through malspam, phishing sites, and underground forums.
PureCoder exemplifies the professionalization of cybercrime – where malware developers build full-fledged product suites marketed on Telegram, fueling campaigns across multiple regions. PureCoder operates like a software vendor, offering version updates, bug fixes, and “support” to buyers, with malware packages priced from $50 to several hundred dollars.
Said Eli Smadja, Head of Research, Check Point Research, “Behind every global cyber campaign sits not only an operator, but often a developer like PureCoder who supplies the tools. PureCoder epitomizes the industrialization of cybercrime — malware is now developed, marketed, and supported like legitimate software. Our research provides rare visibility into the malware economy’s supply chain, highlighting why attribution, prevention-first defenses, and intelligence-led collaboration are critical to staying safe.”
Leave a Reply