PulseRAT Delivered Through a UAE-India Partnership Lure

SOC Prime Team

PulseRAT Delivered Through a UAE-India Partnership Lure

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A malicious ISO archive disguised as a UAE-India strategic partnership file is being used to deliver a .NET-based remote access trojan tracked as PulseRAT. The malware is installed through a dropper embedded in the ISO and uses a Google Spreadsheet as its command-and-control channel. To maintain access, it creates a scheduled task named WindowsVaultSyncService, builds a vault directory under %LOCALAPPDATA%, and uses a mutex to prevent multiple executions on the same host. The campaign relies on a lure connected to a high-profile defense relationship between the United Arab Emirates and India.

Investigation

The analyst unpacked the ISO file, identified the LNK shortcut responsible for launching the executable, and reverse-engineered the dropper to uncover its payload and persistence logic. Further analysis of PulseRAT revealed how it uses Google Sheets for command-and-control, generates its mutex, executes PowerShell within process memory, and creates its scheduled task for persistence. File names, filesystem paths, mutex patterns, and the spreadsheet identifier were all documented to support detection engineering.

Mitigation

Organizations should block execution of unknown binaries launched from removable or mounted media and monitor for creation of scheduled tasks named WindowsVaultSyncService. Application control should be enforced for binaries running from %LOCALAPPDATA%\Microsoft\Vault, and defenders should inspect Google Sheets API traffic for access to unauthorized accounts or unexpected spreadsheet activity. Any malicious scheduled task should be removed, and the vaultsvc.exe file should be deleted from affected systems.

Response

If PulseRAT activity is detected, isolate the affected endpoint immediately, collect volatile memory and disk images, and search for the documented indicators of compromise. Disable and remove the malicious scheduled task, delete the vault directory, and reset any compromised Google-related service accounts. A full forensic review should also be performed to identify possible lateral movement, and relevant stakeholders in the UAE and India should be informed.

"graph TB %% Class definitions classDef action fill:#99ccff,stroke:#333,stroke-width:2px classDef tool fill:#dddddd,stroke:#333,stroke-width:2px classDef process fill:#ffeb99,stroke:#333,stroke-width:2px %% Nodes step_user_open["Action – T1204.002 User Execution: Malicious File Description: Victim opens a malicious shortcut (LNK) file. Subu2011technique T1547.009 Shortcut Modification Description: Shortcut placed to achieve persistence."] class step_user_open action step_dropper["Action – T1027.009 Obfuscated/Stored Files: Embedded Payloads Description: Dropper extracts hidden payload. Technique T1105 Ingress Tool Transfer Description: Transfers payload to the victim system."] class step_dropper action step_persistence["Action – T1053 Scheduled Task/Job Description: Creates a scheduled task for persistence. Technique T1070.004 File Deletion Description: Dropper selfu2011deletes after installing."] class step_persistence action step_execution["Action – T1055.013 Process Injection: Process Hollowing Description: Executes PowerShell inu2011process to run malicious code. Technique T1602 Gather Victim Identity Information Description: Collects system information (systeminfo)."] class step_execution action step_uid["Action – T1589 Gather Victim Identity Information Description: Generates a unique victim identifier (UID)."] class step_uid action step_c2["Action – T1102.001 Web Services: Dead Drop Resolver Description: Uses Google Sheets as a commandu2011andu2011control channel. Technique T1102.002 Web Services: Exfiltration Over Web Services Description: Communicates with remote Google Sheets API."] class step_c2 action step_rat["Action – T1219 Remote Access Tools Description: Provides remote interactive access to the compromised host."] class step_rat action step_cleanup["Action – T1070.009 Clear Windows Event Logs Description: Removes artifacts and cleans up persistence mechanisms."] class step_cleanup action %% Connections step_user_open –>|leads_to| step_dropper step_dropper –>|creates| step_persistence step_persistence –>|enables| step_execution step_execution –>|produces| step_uid step_uid –>|used_by| step_c2 step_c2 –>|enables| step_rat step_rat –>|triggers| step_cleanup "

Attack Flow

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Attack Narrative & Commands:
The adversary has compromised a user account and placed a malicious “PulseRAT” DLL on the host. PulseRAT loads into a legitimate process (e.g., explorer.exe) and creates a PowerShell runspace (in‑process execution) to avoid spawning a visible powershell.exe. It then retrieves a base64‑encoded PowerShell payload from an attacker‑controlled Google Sheet, decodes it, and executes it inside the runspace. This generates a single EventID 4104 entry that contains both the marker string “System.Management.Automation.Runspaces” (from the runspace creation) and the word “base64” (from the decoded payload), satisfying the Sigma rule.

Regression Test Script:

# PulseRAT‑style in‑process PowerShell execution (simulation)
# ---------------------------------------------------------
# 1. Create a PowerShell runspace (in‑process)
$runspace = [runspacefactory]::CreateRunspace()
$runspace.Open()

# 2. Build a base64‑encoded payload (simulating attacker‑controlled data)
$payload = 'Write-Host "Compromised by PulseRAT"'   # simple payload
$bytes   = [System.Text.Encoding]::Unicode.GetBytes($payload)
$b64     = [Convert]::ToBase64String($bytes)

# 3. Construct a script block that decodes and runs the payload
$script = @"
`$b64 = '$b64'
`$decoded = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(`$b64))
Invoke-Expression `$decoded
"@

# 4. Create a PowerShell pipeline inside the runspace and invoke it
$powershell = [powershell]::Create()
$powershell.Runspace = $runspace
$null = $powershell.AddScript($script).Invoke()
$powershell.Dispose()
$runspace.Close()

Cleanup Commands:

# Remove the runspace and release resources (if any remain)
if ($runspace -and $runspace.RunspaceStateInfo.State -ne 'Closed') {
    $runspace.Close()
}
Remove-Variable -Name runspace -ErrorAction SilentlyContinue
Remove-Variable -Name powershell -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free