Pulsar RAT is a sophisticated remote access trojan that has caused a new wave of attacks against Windows systems This article explores windows systems malware. . This malware establishes persistence using the per-user Run registry key, enabling automatic execution each time an infected user logs into their system.

In order to circumvent conventional security measures, the threat combines a risky mix of persistence, stealth, and data theft capabilities. An obfuscated batch file that stealthily copies itself to a hidden folder in the user's AppData directory is the first step in the attack. In order to ensure that the malware launches automatically at startup without requiring administrative privileges, this file then registers itself in the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

When Pulsar RAT is operational, it launches a multi-phase infection chain that minimizes disk artifacts that might notify security systems while extracting and executing embedded PowerShell loaders. The malware was discovered by Point Wild analysts using both in-memory payload delivery and living-off-the-land strategies. In order to maintain resilient persistence, the PowerShell stage uses delayed execution and a watchdog mechanism to decrypt and inject Donut-generated shellcode straight into valid Windows processes like explorer.exe.

When the shellcode is decrypted, a highly obfuscated.NET payload with full-featured stealer and remote access capabilities that target credentials, surveillance, and system control is revealed. Attack Flow (Point Wild, Source) The malware demonstrates advanced anti-analysis techniques including anti-virtualization, anti-debugging, and process injection detection. Browser login credentials, cryptocurrency wallets, VPN setups, gaming platform accounts, and messaging application tokens are all examples of stolen data.

Discover more Tools for ethical hacking Malware removal service Apps for secure messaging All harvested information gets compressed into ZIP archives and exfiltrated over Discord webhooks and Telegram bots, with messages labeled “stealer by @aesxor” to help attackers track infected victims. Mechanisms of Persistence and Evasion Pulsar RAT ensures long-term access through dual-layer persistence using both Windows Scheduled Tasks and registry Run keys as fallback. The malware simultaneously writes the executable path under the current user Run key and schedules a task to run at user logon with the highest privileges possible.

Even in restricted environments where one persistence method may be blocked or monitored, this redundancy ensures that execution continues.

Persistence via run key (Source – Point Wild) The malware's constant background monitoring threads, which keep an eye out for debuggers, virtual machines, and injection attempts, pose serious obstacles to detection efforts. The malware instantly stops itself to evade detection when analysis tools such as x64dbg, WinDbg, dnSpy, or IDA are found through window enumeration or API checks. This self-defense includes handle manipulation methods, PEB debugging flags, and hardware breakpoint detection, all of which combine to create a thorough anti-analysis framework that is resistant to reverse engineering.

Organizations should implement behavioral detection systems capable of identifying in-memory shellcode injection, monitor registry Run key modifications, and scrutinize unusual PowerShell execution patterns. Active infections can also be contained by blocking Discord/Telegram exfiltration channels and keeping an eye out for connections to known command-and-control servers at 185.132.53.17:7800.

Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.