In May 2025, a sophisticated malware campaign targeted a U.S.-based accounting firm, delivering the PureRAT remote access trojan (RAT) via a newly advertised crypter named Ghost Crypt, according to researchers from eSentire’s Threat Response Unit (TRU).

The attackers used social engineering and multi-stage malware delivery techniques to bypass defenses and infiltrate the organization’s systems.

PureRAT Delivered via Social Engineering and Advanced Obfuscation

The attack began with the threat actor impersonating a potential client, sending a PDF that linked to a Zoho WorkDrive folder. This folder contained a ZIP file camouflaged as tax documents, which in reality hosted an executable with a misleading double extension (.pdf.exe) and a renamed DLL.

Once opened, Ghost Crypt decrypted and injected the PureRAT payload into csc.exe, a legitimate Windows process. This sideloading technique allowed the malware to run with minimal suspicion.

First seen advertised on hacking forums in April 2025, Ghost Crypt promises evasion from mainstream antivirus software and supports both EXE and DLL sideloading. It uses a customized ChaCha20 encryption algorithm and a stealthy injection method dubbed “Process Hypnosis” to deliver its malicious payloads.

Persistence was established by copying the malicious DLL to the user’s Documents folder and creating a new Windows Registry key.

Ghost Crypt Capabilities and Payload Behavior

Ghost Crypt boasts a range of capabilities designed to assist cybercriminals:

• Bypasses Windows Defender and many cloud-based detection systems
• Compatible with Windows 11 24H2 and newer
• Offers customizable icons and stub sizes
• Provides a three-day survival warranty with free re-encryption
• Supports payloads such as LummaC2, Rhadamanthys, and XWorm

In this specific case, the attacker used a legitimate executable (hpreader.exe by Haihaisoft) to perform DLL sideloading—a tactic that complicates efforts to differentiate between trusted applications and malware loaders.

Once injected, PureRAT connects to command-and-control (C2) infrastructure to harvest sensitive data. It collects system details, searches for cryptocurrency wallets (like Ledger Live and Exodus), and monitors user activity.

PureRAT Emerges as PureCoder’s Flagship Malware

This incident confirms that PureRAT has replaced PureHVNC as the main offering from the threat actor known as PureCoder.

The malware is heavily obfuscated using .NET packers, layered with AES-256 encryption and GZIP compression. It employs direct memory injection to load DLLs, avoiding conventional execution paths and complicating detection.

Once active, it scans for browser-based crypto wallets, manipulates system behavior via SetThreadExecutionState API calls (to prevent sleep mode), and establishes persistent communication with C2 servers to await further instructions.

Mitigation Recommendations

eSentire advises organizations to be highly cautious with unexpected communications, particularly those involving cloud file sharing platforms like Zoho. Their recommendations include:

• Enable file extension visibility to spot deceptive filenames
• Deploy endpoint detection and response (EDR) tools
• Verify all unsolicited communications, especially from unknown contacts requesting immediate action

This campaign underscores the increasing sophistication of malware operations and the importance of proactive defense strategies in safeguarding sensitive business environments.

Source: https://www.infosecurity-magazine.com/news/crypter-malware-targets-accounting/