Security researchers at Point Wild have disclosed a new Windows malware campaign that uses a multi-stage infection chain to establish persistent, memory-resident access on compromised systems and steal sensitive data.
The analysis found the malware relying on standard Windows components for execution and persistence, limiting the number of artifacts written to disk. The activity, analyzed by the company’s Lat61 team, involves a .NET-based, modular remote access trojan (Pulsar RAT) that supports live, interactive operator control.
The malware’s reliance on in-memory execution and living-off-the-land techniques limits the effectiveness of file-based detection tools, the researchers noted in a blog post.
“The malware exhibits advanced anti-analysis techniques, including anti-VM, anti-debugging, and process injection detection, alongside extensive credential harvesting, surveillance capabilities, and remote system control,” they said. “Stolen data is exfiltrated as ZIP archives over Discord webhooks and Telegram bots.”
Initial access and memory-resident execution
The infection chain begins with a small batch script that establishes persistence through a per-user Registry Run key. Rather than deploying a full executable, the script launches a PowerShell-based loader, reducing the likelihood of immediate detection by traditional endpoint security tools.
This PowerShell loader decodes and executes shellcode generated using Donut, an open-source framework commonly used to convert. NET assemblies into position-independent shellcode. The shellcode injects the payload directly into memory, avoiding the need to write a portable executable to disk.
By operating entirely in memory after initial execution, the malware limits the effectiveness of file-based scanning and static analysis. Point Wild researchers noted that the attack blending into normal Windows activity calls for behavioral or memory-focused telemetry.
Once loaded, the malware deploys a heavily obfuscated .NET component that serves as the core execution framework for the operation.
RAT capabilities and stealer functionality
The .NET payload implements a remote access trojan that allows operators to interact directly with compromised systems. Unlike many commodity RATs that rely on periodic check-ins, this malware supports live command handling, enabling attackers to issue instructions and receive responses in near real-time.
This interactive design allows operators to perform reconnaissance, manipulate files, execute commands, and manage persistence dynamically based on what they observe on the infected host.
Alongside the RAT functionality, the malware includes an information-stealing component that collects sensitive system data. While the disclosure did not attribute the Stealer to a specific malware family, the researchers noted that it operates in parallel with the RAT, allowing data collection to continue while operators actively engage with the system.
Persistence, evasion, and mitigation
Persistence is maintained through Registry-based autorun entries and reinforced by the malware’s ability to re-establish execution if disrupted. The use of obfuscation across the .NET payload further complicates reverse engineering and slows analysis.
Point Wild emphasized that the campaign’s effectiveness stems from disciplined execution of Living-off-the-land binaries, in-memory payloads, and obfuscated managed code. Together, they make detection difficult.
The researchers noted that detecting the activity requires monitoring process and memory behavior rather than relying on file-based indicators, which include watching for suspicious PowerShell execution, shellcode injection into running processes, and suspicious persistence via Registry Run keys. Rapid host isolation and live response were emphasized to contain interactive activity and limit data theft once a compromise is suspected.