A cyber-attack on a US-based accounting firm in May 2025 has been observed delivering the PureRAT remote access Trojan using a sophisticated crypter called Ghost Crypt.
According to researchers at eSentire’s Threat Response Unit (TRU), the campaign involved social engineering, advanced obfuscation techniques and a multi-stage malware delivery process.
PureRAT Delivered Through Ghost Crypt and Social Engineering
The attacker, posing as a new client, sent a malicious PDF linking to a Zoho WorkDrive folder. The folder contained a ZIP archive disguised as tax documentation. Inside was a file with a deceptive double extension (.pdf.exe) and a renamed DLL. When executed, the bundled crypter decrypted and injected PureRAT into the legitimate Windows binary csc.exe.
Ghost Crypt, advertised on Hackforums since April 2025, claims to bypass major antivirus solutions and supports the sideloading of both EXE and DLL files. It uses a custom variant of the ChaCha20 algorithm and employs an injection method called “Process Hypnosis” to deliver payloads undetected.
The attacker further ensured persistence by adding a registry key entry and copying the DLL to the user’s documents folder.
Ghost Crypt Features and Malware Behavior
Ghost Crypt promotes several features:
-
Bypasses Windows Defender and cloud-based detection
-
Compatible with Windows 11 24H2+
-
Includes customizable icons and DLL stub sizing
-
Offers a 3-day survival guarantee with free recrypts
-
Supports malware families like LummaC2, Rhadmanthys, and XWorm
Read more on Windows malware injection techniques: Winos4.0 Malware Found in Game Apps, Targets Windows Users
The attack used legitimate software – hpreader.exe by Haihaisoft – for DLL sideloading. This, eSentire warned, highlights the challenge of distinguishing benign tools from malicious loaders.
The injected PureRAT payload communicates with command-and control (C2) servers, collecting user data, system details and searching for crypto wallets and desktop apps like Ledger Live and Exodus.
PureRAT Evolves as Main Offering from PureCoder
PureRAT has replaced PureHVNC as the flagship product from underground seller PureCoder.
The malware is packed using .NET obfuscators and compressed with encryption layers including AES-256 and GZIP. It loads DLLs using direct memory injection instead of traditional execution techniques.
Upon successful installation, the malware scans browsers for crypto wallet extensions and uses SetThreadExecutionState API calls to prevent the system from entering sleep mode. It then transmits collected data and awaits further instructions from its operators.
eSentire warned organizations to remain vigilant against urgent requests from unknown sources, particularly involving cloud storage links. They also advised enabling file extension visibility, using EDR tools and verifying the legitimacy of unexpected communications.