Pure Crypter, a widely known malware-as-a-service (MaaS) loader, has been acknowledged as a vital software for menace actors concentrating on Home windows-based methods in a radical technical analysis carried out by eSentire’s Risk Response Unit (TRU) throughout 2024 and 2025.
This loader, favored for deploying data stealers like Lumma and Rhadamanthys through the ClickFix preliminary entry vector, has demonstrated outstanding adaptability in evading Microsoft’s newest safety enhancements in Home windows 11 24H2.
Malware Loader Targets Home windows Techniques
Microsoft’s try to dam malware loaders by stopping Course of Hollowing-based injection within the 24H2 replace has been circumvented by Pure Crypter’s builders by way of a simple but efficient patch of the NtManageHotPatch API in reminiscence.
This bypass approach, detailed by safety researcher Hasherezade, permits the malware to execute Course of Hollowing (RunPE) on newer Home windows builds, undermining the working system’s defenses.
Pure Crypter’s structure is a testomony to its sophistication, incorporating a big selection of evasion and persistence mechanisms designed to thwart antivirus (AV) and endpoint detection and response (EDR) options.
Its configuration, saved as a Protobufs-serialized message, is decrypted and deserialized throughout execution, enabling modular activation of options comparable to AMSI (Antimalware Scan Interface) bypass by way of reminiscence patching of AmsiScanBuffer and EtwEventWrite APIs.
DLL unhooking to load clear copies of kernel32.dll and ntdll.dll, and anti-VM and anti-debugging checks utilizing APIs like CheckRemoteDebuggerPresent and WMI queries to detect virtualized environments.
Misleading Advertising
Extra techniques embody disabling web connectivity through ipconfig.exe to hinder AV/EDR communication, making use of execution delays with SleepEx, and guaranteeing persistence by way of Run keys, scheduled duties, or VBScript in startup folders.
The loader additionally helps a number of payload execution strategies, together with Reflection for .NET information, shellcode injection through VirtualAlloc and CreateThread, and dad or mum course of spoofing utilizing OpenProcess and UpdateProcThreadAttribute, making it a flexible software for malicious operations.
Past its technical prowess, Pure Crypter’s distribution and advertising methods amplify its menace.
Bought on platforms like Hackforums[.]web by the seller ‘PureCoder’ with tiered subscriptions starting from $159 for 3 months to $799 for lifetime entry, it’s distributed through an automatic Telegram bot, @ThePureBot, which additionally markets associated instruments like Pure Miner, Pure RAT, and Pure Logs Stealer.
The seller employs misleading advertising by showcasing zero-detection outcomes on avcheck[.]web, a scanning platform that avoids sharing samples with AV/EDR distributors.
Nonetheless, eSentire’s testing on VirusTotal revealed that newly generated stubs are detected by no less than 20 AV/EDR options, exposing a big discrepancy and suggesting deceptive techniques to spice up gross sales.
Operational safety is additional maintained by way of a Phrases of Service (ToS) settlement to skirt discussion board restrictions on malicious software program gross sales, whereas a user-friendly GUI with quotas on packing operations lowers the technical barrier for menace actors.
To counter this, eSentire has developed PureCrypterPunisher, a software to automate unpacking, configuration extraction, and string decryption, empowering safety researchers to raised analyze and mitigate this pervasive menace within the evolving cyber panorama.
Discover this Information Fascinating! Observe us on Google Information, LinkedIn, & X to Get Prompt Updates!
