PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

Job seekers looking out for opportunities might instead find their personal devices compromised, as a PureRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry.

Malware

PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

Job seekers looking out for opportunities might instead find their personal devices compromised, as a PureRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry.

By: Sarah Pearl Camiling, Junestherry Dela Cruz, Jacob Santos, Sophia Nilette Robles, Maristel Policarpio, Raymart Yambot

Dec 03, 2025

Read time: ( words)

Save to Folio

Key takeaways

• PureRAT targets job seekers in a campaign spreading through email, disguising itself behind a weaponized Foxit PDF reader and performing dynamic-link library (DLL) side-loading to gain a foothold in the system.

• As a remote access trojan (RAT), a PureRAT attack can lead to threat actors gaining control of systems, monitoring activity, and stealing sensitive data.

• The campaign targets job seekers and can also potentially affect those working in human resources (HR), such as recruiters and sourcing specialists.

• Trend Vision One™ detects and blocks the indicators of compromise (IoCs) discussed in this blog. Trend Micro customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign.

Update on December 12, 2025, 7:30 AM UTC:

*We initially attributed the findings in this report to ValleyRAT based on the preliminary indicators observed during our investigation. However, following additional analysis and valuable feedback from the cybersecurity research community, we have verified that these campaigns should be correctly attributed to PureRAT instead. We apologize for this initial misattribution and any confusion it may have caused. We extend our sincere gratitude to the researchers who provided critical feedback and additional intelligence that enabled us to make this correction.*

Cybercriminal operations continue to escalate in both aggressiveness and sophistication, achieving greater impact through the strategic integration of multiple methods. The campaign investigated in this article demonstrates a layered application of tried-and-tested techniques: social‑engineering lures targeting job seekers, obfuscation through deeply nested directory paths, and execution via DLL sideloading.

Recent observations show that beyond phishing campaigns targeting travelers worldwide using ClickFix that impersonates popular travel booking websites, PureRAT actors now appear to be going after jobseekers in general as well, as evidenced by filename of attachments from emails.

Because job seekers constantly watch out for new opportunities, they might download attachments quickly and overlook warning signs. The emotional strain of the job search can reduce caution, making them more inclined to trust messages that appear to come from potential employers.

One common entry vector we’ve observed is email-based job lures. Archive files, with filenames such as Overview_of_Work_Expectations.zip, Candidate_Skills_Assessment_Test.rar, or Authentic_Job_Application_Form.zip, are deliberately crafted to take advantage of the curiosity and sense of urgency among job seekers.

To bypass initial scrutiny, these compressed files often masquerade as legitimate HR documents while actually containing malicious payloads.

Likewise, this PureRAT campaign also abuses Foxit. The archive file from the email lure contains a renamed version of FoxitPDFReader.exe, designed to make the attack more stealthy and provide a controlled way to load malicious code. For example, the file analyzed in this article is Compensation_Benefits_Commission.exe, still named with a recruitment-related bait. This executable also uses the Foxit logo as its icon to look more convincing.

Upon seeing the Foxit logo, most users would assume that the file is in the popular PDF (.pdf) format and might not notice that it is actually an executable (.exe). Cybercriminals often abuse .exe files to exploit the Windows DLL search order mechanism for DLL side-loading.

The screenshot below shows what the users see after clicking the malicious file from the archive. The PDF which is bundled in the package, displays job details and salary information, probably fake or merely copied from job boards:

[Figure 1. Decoy file containing details of a job opening]

Figure 1. Decoy file containing details of a job opening

download

Unknown to the user, as they pore over the details of the document, the PureRAT payload has begun running silently in the background.

PureRAT techniques

[Figure 2. PureRAT infection chain]

Figure 2. PureRAT infection chain

download

This diagram above traces the entire stealthy infection path—starting with a malicious archive file containing a FoxitPDFReader.exe disguised as a document, loading a malicious msimg32.dll, and ending with PureRAT, stitched together by DLL side-loading, script executions, and .NET reflection loading.

[Figure 3. Contents of the archive file]

Figure 3. Contents of the archive file

download

[Figure 4. Folder tree showing a disguised executable]

Figure 4. Folder tree showing a disguised executable

download

[Figure 5. The “document” files facilitating the extraction of the Python environment]

Figure 5. The “document” files facilitating the extraction of the Python environment

download

[Figure 6. Hidden document.bat within the nested directory path]

Figure 6. Hidden document.bat within the nested directory path

download

This method ensures that the Python script can be executed on the target system even if Python is not pre-installed, leveraging the document.bat script to automate the process. Such tactics demonstrate the attackers' ingenuity in bypassing security measures and executing their payload with minimal user awareness.

Following extraction, the batch file invokes the Python interpreter to execute the malicious Python script, facilitating payload deployment.

[Figure 7. Execution of document.bat]

Figure 7. Execution of document.bat

download

After the batch file extracts the content of document.pdf (Python environment) using document.docx (7zip.exe), an encoded base64 is downloaded from 196[.]251[.]86[.]145, containing the Python script that serves as a shellcode loader.

The python.exe was renamed as “zvchost.exe” and runs the script using the “-c” parameter, as can be seen in the pseudocode. It also creates an autorun registry entry to make it persistent in the system.

[Figure 8. The shellcode loader uses Win32 API functions to run a shellcode that will be decoded first from base64]

Figure 8. The shellcode loader uses Win32 API functions to run a shellcode that will be decoded first from base64

download

[Figure 9. Strings in memory show the command and control (C&C) IP address and port of PureRAT]

Figure 9. Strings in memory show the command and control (C&C) IP address and port of PureRAT

download

The attack steals data from the user’s internet browsers.

[Figure 10. In-memory strings]

Figure 10. In-memory strings

download

The above in-memory strings reference Chromium-based browswer profiles. This behavior is similar to those seen from prior research by other researchers.

Probing the malicious file’s certificate that was captured in network logs of sandbox analysis tool, to exhibits characteristics commonly seen in certificates used by PureRAT SSL as part of its secure communication. These include a self-signed structure, a randomized common name, outdated TLS versions (TLSv1), and an extremely long validity period (valid until December 31, 9999 at 23:59 UTC), which are traits frequently produced by automated certificate generators built into the RAT builders.

********

[...]

Original source