Has TeamPCP Pivoted To Using The PureHVNC RAT?
ID: fa5b44d9-049c-5435-9674-7da314d4a59a
STIX ID: report--fa5b44d9-049c-5435-9674-7da314d4a59a
Feed Name: OpenSourceMalware Blog
Date Published: 2026-03-31
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
**Executive Summary:** This blog post analyzes a multi-stage campaign that uses an obfuscated PowerShell script masquerading as an MP3 to deliver a .NET stealer (MidwestGrey.exe) and ultimately deploy the PureHVNC RAT; dynamic sandboxing showed credential and crypto-wallet exfiltration, hidden VNC access, RC4-protected C2 configuration, active C2 IPs and numerous IOCs, and the author assesses with low confidence that the activity is not TeamPCP but rather a commodity cybercrime operator.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
