PureHVNC RAT Developers Exploit GitHub to Spread Pure Malware Source Code

The developers behind the PureHVNC remote access trojan (RAT) have been uncovered using GitHub repositories to host critical components and plugin source code for their Pure malware family.

Check Point Research’s recent forensic analysis of an eight-day ClickFix intrusion campaign reveals that PureHVNC’s command-and-control (C&C) server delivered GitHub URLs to infected machines, a practice previously unseen in high-confidence attribution for this threat actor.

By mapping these repositories to accounts operated by the malware author known as PureCoder, investigators have gained rare insights into the malware ecosystem, developer practices, and potential geographic footprint of this sophisticated operation.

During a mid-2025 incident response engagement, Check Point’s team traced a phishing campaign employing the ClickFix social engineering technique, wherein victims were fooled into executing a PowerShell payload by visiting a fake job listing.

This initial loader, written in Rust, installed PureHVNC RAT with campaign identifiers “2a” and ...