BLOG

Has TeamPCP Pivoted To Using The PureHVNC RAT?

New threat campaign using PureHVNC has been tied to TeamPCP.

By c0a15726-c5b1-4b0d-85e6-fe15553df9e2 ·

Has TeamPCP Pivoted To Using The PureHVNC RAT?

This morning, I sat down at my desk, opened social media, and did my usual daily check-in on TeamPCP: what’s been compromised overnight, and what new drama is unfolding in the TeamPCP universe?

I started with Rami McCarty’s Twitter updates, and then followed up with the threat actors directly.

I’ve been repeating this routine ever since TeamPCP’s widely reported compromise of the Trivy open-source scanner—and, shortly after, Aqua Security, the company behind the project. Twitter (yes, I still call it that) remains the best place to keep up with TeamPCP-related news.

So I wasn’t surprised to see a researcher, Lloyd Davies, tweet about a new IP address that might be associated with TeamPCP:

Lloyd PostLloyd found an IP serving several files that matched what you’d expect to see from this group, so I made a coffee and dug in. Sure enough, the files were readily available:

Apache PureHVNC filesI deobfuscated and analyzed the three files from the Ubuntu box, and I confirmed it was a multi-stage information-stealer that appeard to deliver the PureHVNC remote access trojan (RAT). The infection chain is heavily obfuscated, using four distinct layers of encoding/encryption, and it leans on PowerShell early on—masquerading as an audio file.

This last bit, the fake audio file technique, importantly matches the audio steganography payload that TeamPCP used in their attack on the telnyx PyPI package.

From what I observed, the operation relies on a two-tier command-and-control (C2) setup:

  • A distribution server that delivers secondary payloads

  • An active PUREHVNC C2 server that handles bidirectional traffic for remote control and data theft

In dynamic analysis, I saw meaningful exfiltration: the malware pulled down roughly 616 KB of commands/modules and pushed back about 65 KB of stolen data. The collection behavior focused on browser credentials, cryptocurrency wallets, and VPN configuration artifacts, and it also established persistent remote access via hidden VNC.

Initial Infection Vector

The Trojan Horse: oqqqqoa.mp3

The initial infection vector is a file named oqqqqoa.mp3 - ostensibly an audio file based on its extension. However, analysis reveals this is a heavily obfuscated PowerShell script:

File: oqqqqoa.mp3
Type: PowerShell Script (UTF-8 with BOM)
Size: 36,748 lines
SHA-256: 72c08e044dd427964bc14339f95838e3d45f51f6a586330c683fbb59ea374b1d

This file masquerades as an MP3 to evade detection and social engineer victims into execution. When users double-click expecting to play audio, Windows instead executes it as a PowerShell script if the system is configured to open .mp3 files with PowerShell, or the victim is socially engineered to execute it directly.

Layer-by-Layer Obfuscation Analysis

The malware employs a sophisticated four-layer obfuscation scheme designed to evade static analysis and signature-based detection:

Layer 1: Variable Name Obfuscation

The script uses intentionally obscured variable names with excessive 'J' characters to frustrate manual analysis:

$JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ5508 = ...
$chemicalPartnerships5691 = @(...)

This technique increases the cognitive load on analysts and makes pattern matching more difficult.

Layer 2: Base64 Encoding Array

The core payload is split into 7,729 base64-encoded chunks stored in an array:

$chemicalPartnerships5691 = @(
    "qRN76ZzNv6Bv8l4cwhx+nMmq...",
    "A+SdL4ATB7MvDjc3kA56s4y...",
    # ... 7,727 more chunks
)

These chunks are joined and decoded in memory, never touching disk in decoded form:

$poMust2198 = $chemicalPartnerships5691 -join ""
$poMust2198 = $poMust2198.Substring(31)  # Skip first 31 chars
$decoded = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($poMust2198))

This produces a 116-line PowerShell payload containing the actual malware logic.

Layer 3: Character Array Obfuscation

Function and method names are obfuscated using ASCII character arrays:

# "Invoke-Expression" encoded as character codes
&(gcm ([string]::new(([char[]]@(73,110,118,111,107,101,45,69,120,112,114,101,115,115,105,111,110)))))

This prevents simple string-based detection of dangerous cmdlets like Invoke-Expression, New-Object, or DownloadString.

Layer 4: RC4 Encryption

The most critical layer involves RC4 stream cipher encryption protecting C2 configuration data. The malware implements a full RC4 algorithm with:

RC4 Key (1200 bytes, base64-encoded):

eEcPm5wgwIosoAnR2Qugp/EwXT5u5HE62s/i3/R4Dy/me1rUPh+8i6+lCPzfDfV/P6PPEnrXfTzZ
K5Hmu44TkEF9u5/SWM2iDaCrn7liJ+wlpTZ+/aThw0wUSctr2w2en3kACmBTGsdkg+2d69qXzOMz
otVoNwCaP+OBF5J4n0jl2k0iH7+Db...
[truncated - full key is 1200 bytes]

RC4 Implementation:

  • Key Scheduling Algorithm (KSA): Initializes 256-byte state array

  • Pseudo-Random Generation Algorithm (PRGA): Generates keystream

  • XOR operation: Encrypted bytes ⊕ keystream = plaintext

The encrypted data is stored as another character array and decrypted at runtime. Our static analysis attempts to decrypt this data were unsuccessful across multiple approaches, indicating the encrypted payload may be environment-specific or require additional runtime context.

Stage 2: Payload Download & Execution

Once deobfuscated and decrypted, the PowerShell loader contacts the distribution server:

Distribution Infrastructure

Server: 43.228.157.123
Port: 80 (HTTP)
ASN: GHOSTYNETWORKS, United States
URL: http://43.228.157.123/MidwestGrey.exe

Downloaded Executable:

Filename: MidwestGrey.exe
MD5: BDEA1D91191344FF48FD20DDD8ECFE21
SHA-256: 7B57628329827948FD8BE903B028B4E619E59ABE03DD1AB2DAD0939BE9707A10
Type: PE32 executable (.NET)
Packer: .NET Reactor protector
Size: ~3 MB

The .NET Reactor packer provides additional anti-analysis protection through:

  • Control flow obfuscation

  • String encryption

  • Anti-debugging checks

  • Anti-tampering mechanisms

Dynamic Analysis: The Full Kill Chain

Using sandbox analysis (Any.run), we observed the complete execution chain:

Process Execution Tree

MidwestGrey.exe (PID 5524) [ENTRY POINT]
├── at.exe
│   └── Invalid task: "hdhf84843isljdfj89234jkjs" [PERSISTENCE ATTEMPT]
├── cmd.exe (PID 9088) [SPAWNED 8 INSTANCES]
├── cmd.exe (PID 7580)
├── cmd.exe (PID 4372)
├── cmd.exe (PID 6212)
├── cmd.exe (PID 3920)
├── cmd.exe (PID 5716)
├── cmd.exe (PID 8680)
├── Transsexual.exe (PID 5504) [SECONDARY PAYLOAD]
├── RegAsm.exe (PID 6948) [PUREHVNC RAT - CRITICAL]
│   └── Registry modifications (trace disabling)
├── AutoIt3.exe [SCRIPTING ENGINE]
├── tasklist.exe [RECONNAISSANCE]
├── findstr.exe [FILE SEARCH]
├── ping.exe [NETWORK CONNECTIVITY CHECK]
├── chrome.exe (PID 9176) [CREDENTIAL THEFT]
└── msedge.exe [CREDENTIAL THEFT]

The malware spawns 8 simultaneous cmd.exe processes, suggesting parallel execution of multiple malicious tasks including:

  • System reconnaissance

  • File searching

  • Anti-forensics activities

  • Credential harvesting

  • Network connectivity testing

Anti-Forensics: Registry Trace Disabling

RegAsm.exe (the PUREHVNC component) immediately disables Windows tracing to evade detection:

Registry Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

Modified Keys:
├── EnableFileTracing = 0       (Disable file logging)
├── EnableAutoFileTracing = 0   (Disable automatic logging)
├── EnableConsoleTracing = 0    (Disable console logging)
└── MaxFileSize = 1048576       (Limit log file size)

This prevents Windows from logging network activity and API calls, significantly hampering forensic analysis.

C2 Infrastructure: Two-Tier Architecture

The campaign employs a sophisticated two-tier C2 infrastructure with distinct roles:

Tier 1: Distribution Server

IP Address: 43.228.157.123
Port: 80
Protocol: HTTP (unencrypted)
ASN: GHOSTYNETWORKS, United States
Role: Malware payload distribution
Status: ACTIVE

Purpose: Serves secondary payloads including MidwestGrey.exe. This server acts as the initial contact point for infected systems downloading additional malware components.

Tier 2: PUREHVNC Command & Control (PRIMARY THREAT)

IP Address: 46.151.182.216
Port: 8443
Protocol: HTTPS/TLS (encrypted)
ASN: GHOSTYNETWORKS, United States
Role: Active C2 for PUREHVNC RAT
Status: ACTIVE - CONFIRMED DATA EXFILTRATION

Network Activity Timeline:

Timestamp: 68345ms
├── RegAsm.exe → 46.151.182.216:8443
├── Sent: 631 bytes (initial beacon/handshake)
└── Received: 616 KB (C2 commands, additional modules)

Timestamp: 70137ms
├── RegAsm.exe → 46.151.182.216:8443
├── Sent: 65 KB (stolen credentials, system data)
└── Received: 915 bytes (acknowledgment/additional commands)

Total Duration: ~1.8 seconds
Total Downloaded: 616.9 KB
Total Uploaded: 65.6 KB

Exfiltrated Data Analysis:

The 65 KB upload is consistent with:

  • Browser credential dumps (Chrome/Edge saved passwords)

  • Cryptocurrency wallet files (wallet.dat, keystore files)

  • System reconnaissance data (GUID, hostname, running processes)

  • VPN configuration files (OpenVPN, WireGuard configs)

  • Potential screenshots (compressed)

The 616 KB download likely contains:

  • PUREHVNC remote desktop modules

  • Additional data collection plugins

  • Updated C2 configuration

  • Commands for lateral movement or persistence

DGA Fallback Mechanism

The malware attempts to contact a Domain Generation Algorithm (DGA) generated domain:

Domain: mZddGRRqKZoEUd.mZddGRRqKZoEUd
Result: No IP addresses found (failed resolution)
Timestamp: 33459ms

DGA Pattern:

  • Two identical 14-character alphanumeric strings

  • Random-looking characters (uppercase/lowercase mix)

  • Pattern: [a-zA-Z]{14}.[a-zA-Z]{14}

This represents a fallback C2 mechanism if primary servers are unavailable. The malware likely generates multiple such domains daily using a seed algorithm shared with the attackers.

Information Stealing Capabilities

Dynamic analysis confirmed the following data theft capabilities:

Browser Credential Theft

Targeted Browsers:

  • Google Chrome

  • Microsoft Edge

  • Chromium-based browsers

Stolen Data Types:

  • Saved passwords

  • Login credentials

  • Credit card information

  • Cookies and session tokens

  • Browser history

Accessed Browser Files:

C:\Users\admin\AppData\Local\Temp\[Chrome User Data]\
├── ClientCertificates
├── commerce_subscription_db
├── discounts_db
├── PersistentOriginTrials
├── Login Data
├── Web Data
└── Cookies

Cryptocurrency Wallet Targeting

The malware searches for wallet files associated with:

  • Bitcoin Core (wallet.dat)

  • Ethereum (keystore files)

  • Electrum

  • Exodus

  • Atomic Wallet

  • MetaMask (browser extension data)

VPN Configuration Theft

Targets configuration files from:

  • OpenVPN (.ovpn files)

  • WireGuard (.conf files)

  • NordVPN

  • ExpressVPN

  • Private Internet Access

System Reconnaissance

Executes reconnaissance commands:

tasklist.exe        # Enumerate running processes
findstr.exe         # Search for specific files/strings
ping.exe            # Test network connectivity

Collects system information:

  • Machine GUID

  • Computer name

  • Operating system version

  • Installed antivirus products

  • Network configuration

PUREHVNC: Hidden Remote Desktop

PUREHVNC is a sophisticated RAT that implements hidden VNC (Virtual Network Computing) functionality, allowing attackers to:

  1. Remote Desktop Access: Control the victim's system in real-time

  2. Invisible Operation: Operates without displaying connection indicators

  3. Persistent Backdoor: Maintains access even after initial infection cleanup

  4. Additional Payload Delivery: Download and execute further malware

  5. Lateral Movement: Use compromised system as pivot point

The 616 KB download from the C2 server likely contains PUREHVNC's VNC server components and plugin architecture.

Indicators of Compromise (IOCs)

File Hashes

SHA-256: 72c08e044dd427964bc14339f95838e3d45f51f6a586330c683fbb59ea374b1d
File: oqqqqoa.mp3 (PowerShell loader)

SHA-256: 7B57628329827948FD8BE903B028B4E619E59ABE03DD1AB2DAD0939BE9707A10
MD5: BDEA1D91191344FF48FD20DDD8ECFE21
File: MidwestGrey.exe (.NET stealer)

Network Infrastructure

# PRIMARY THREAT: PUREHVNC C2 Server
46.151.182.216:8443 (HTTPS)
ASN: GHOSTYNETWORKS, United States
Role: Active C2, data exfiltration
Priority: CRITICAL - BLOCK IMMEDIATELY

# Distribution Server
43.228.157.123:80 (HTTP)
ASN: GHOSTYNETWORKS, United States
Role: Payload distribution
Priority: HIGH - BLOCK IMMEDIATELY

# DGA Domain Pattern
mZddGRRqKZoEUd.mZddGRRqKZoEUd
Pattern: [a-zA-Z]{14}.[a-zA-Z]{14}

File System Artifacts

C:\Users\*\AppData\Local\Temp\MidwestGrey.exe
C:\Users\*\AppData\Local\Temp\Transsexual.exe
C:\Users\*\AppData\Local\Temp\RegAsm.exe
C:\Users\*\Downloads\oqqqqoa.mp3
C:\Users\*\AppData\Local\Temp\*.au3 (AutoIt scripts)

Process Names

MidwestGrey.exe
Transsexual.exe
RegAsm.exe (PUREHVNC component)
AutoIt3.exe (scripting engine)

Registry Keys

HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32
├── EnableFileTracing = 0
├── EnableAutoFileTracing = 0
└── EnableConsoleTracing = 0

Is This TeamPCP? Attribution Analysis

Verdict: LOW confidence — almost certainly NOT TeamPCP.

When I initially saw the MP3 file, I thought this might be another audio steganographic related payload like Telnyx or the Kubernetes payload that TeamPCP dropped last week. But I quickly realized that the MP3 file is just an obfuscated Powershell script with none of the nuance of of those other payloads.

While PureHVNC is typically a standard off the shelf commodity, this version was customized with the custom Powershell loader and a few other bits. However, the poin APT or nation-state group has been attributed to PUREHVNC. It is used exclusively by cybercrime operators.

Evidence Against TeamPCP Attribution

Indicator

TeamPCP

This Campaign

Delivery

Supply chain poisoning (npm, PyPI, Docker)

Phishing (disguised .mp3 file)

Encryption

AES-256-CBC + RSA-4096

RC4 stream cipher

RAT framework

AdaptixC2

PUREHVNC (commodity)

Languages

Python, Go, Bash

PowerShell, .NET, AutoIt

C2 style

Typosquatted domains (e.g., scan.aquasecurtiy.org)

Bare IP addresses, no domains

Infrastructure

5+ registrars, NL/US ASNs, ICP blockchain fallback

Ukraine (C2) + Singapore/M247 (distribution)

Targets

Developers, CI/CD pipelines, cloud credentials

End users, browser passwords, crypto wallets

OPSEC

Cover identities, multiple VPN providers, active cleanup

Bare IPs, no identity infrastructure

Signatures

RSA-4096 shared key, WAV steganography, "tpcp" naming

None present

Weak Overlaps (Not Attributive)

  • Both steal credentials and target crypto wallets (universal malware objectives)

  • Both use XOR obfuscation and RC4 appeared in some TeamPCP variants (ubiquitous techniques)

  • Both have anti-forensic capabilities (different implementations)

Assessment

The overlap is limited to generic malware behaviors shared by thousands of campaigns. The strong negative indicators — no shared cryptographic keys, no infrastructure overlap, no supply chain delivery, no shared tooling, no TeamPCP branding — make attribution untenable. This is most likely a commodity cybercrime operator who purchased PUREHVNC and customized delivery with a bespoke PowerShell loader.

IOC Summary

# File Hashes (SHA-256)
72c08e044dd427964bc14339f95838e3d45f51f6a586330c683fbb59ea374b1d  # oqqqqoa.mp3
7B57628329827948FD8BE903B028B4E619E59ABE03DD1AB2DAD0939BE9707A10  # MidwestGrey.exe

# C2 Infrastructure
46.151.182.216:8443  # PRIMARY C2 (PUREHVNC) - CRITICAL
43.228.157.123:80    # Distribution Server - HIGH

# DGA Domain Pattern
mZddGRRqKZoEUd.mZddGRRqKZoEUd  # 14-char random pattern

# Process Names
MidwestGrey.exe
Transsexual.exe
RegAsm.exe (outside Microsoft.NET directory)

# Registry Keys (Anti-Forensics)
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

References

  • Dynamic Analysis Report: https://any.run/report/7b57628329827948fd8be903b028b4e619e59abe03dd1ab2dad0939be9707a10/b50de0d6-af5c-4798-9212-27ffe71c958a

  • Checkpoint PUREHVNC RAT Analysis: https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/

  • Cyble PUREHVNC Analysis: https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/