logo

Has TeamPCP Pivoted To Using The PureHVNC RAT?

ID: fa5b44d9-049c-5435-9674-7da314d4a59a

STIX ID: report--fa5b44d9-049c-5435-9674-7da314d4a59a

Feed Name: OpenSourceMalware Blog

Threat Score
72/100

Date Published: 2026-03-31

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

**Executive Summary:** This blog post analyzes a multi-stage campaign that uses an obfuscated PowerShell script masquerading as an MP3 to deliver a .NET stealer (MidwestGrey.exe) and ultimately deploy the PureHVNC RAT; dynamic sandboxing showed credential and crypto-wallet exfiltration, hidden VNC access, RC4-protected C2 configuration, active C2 IPs and numerous IOCs, and the author assesses with low confidence that the activity is not TeamPCP but rather a commodity cybercrime operator.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.