Ghost Crypt & PureRAT: New Stealthy Malware Targets Accounting Firm via “Process Hypnosis”

eSentire’s Threat Response Unit (TRU) uncovered a sophisticated attack against a certified public accounting firm in the United States. The operation deployed a new crypter named Ghost Crypt to stealthily deliver and execute the PureRAT remote access trojan — malware that has been gaining popularity in underground forums throughout 2025.

“The attack utilized a new crypter called ‘Ghost Crypt’ alongside multiple layers of obfuscation to deliver and execute PureRAT malware,” TRU stated in its detailed technical analysis.

Initial access to the victim’s environment was achieved through highly targeted social engineering. The attackers impersonated a prospective client, sending a convincing PDF with a link to a Zoho WorkDrive folder. Once opened, the link downloaded a zip archive containing fake documents — such as driving licenses and tax files — and a malicious executable named 1040_Scan__<Redacted>_Files_Organizer2024_<Redacted>_Tax_Organizer___2024.pdf.exe.

To intensify pressure, the threat actor even called the victim directly, urging them to open the files immediately — a rare but effective psychological tactic.

The Ghost Crypt crypter used in the attack was first advertised on Hackforums on April 15, 2025, offering extensive malware packing capabilities. The author, “ghostcrypt,” promoted features including DLL sideloading, Windows Defender bypasses, and compatibility with Windows 11 24H2.

“The service promotes Kleenscan, a tool that allows cybercriminals to test their packed malware against multiple antivirus engines,” the report notes, citing a scan that returned zero detections for the payload.

Ghost Crypt encrypted a malicious DLL (CriticalUpdater0549303.dll), which was sideloaded via a legitimate Windows executable (hpreader.exe by Haihaisoft Limited). Once loaded, the malware achieved persistence through Windows Registry Run keys.

What sets this operation apart is the “Process Hypnosis” injection technique. The malware opened csc.exe in debug mode (DEBUG_ONLY_THIS_PROCESS) to avoid analysis, then used VirtualAllocEx, VirtualProtectEx, and WriteProcessMemory to inject PureRAT directly into the process’s memory space.

“WriteProcessMemory is called once more to patch the ZwManageHotpatch function… to bypass safeguards put in place by Microsoft to prevent process injection on Windows 11 24H2+,” the report explains.

After injection, the malware hijacked execution by setting a new thread context via SetThreadContext, and resumed execution using DebugActiveProcessStop.

PureRAT, developed by the actor “PureCoder,” appears to be the evolved form of PureHVNC — a tool formerly sold on the dark web. PureRAT has now become the flagship product of its developer, featuring modular plugin architecture, anti-debugging features, and intense focus on data theft from cryptocurrency platforms.

PureRAT also scans for messaging apps like Telegram and monitors a wide range of Chromium-based browsers such as Brave, Edge, and Vivaldi to extract user data and crypto assets.

The multi-stage payload included .NET binaries obfuscated with Eazfuscator.NET and later unpacked using tools like EazFixer and NetReactorSlayer. Decryption employed both AES-256 and GZIP, and the final payload carried an embedded X.509 certificate, which was parsed in memory and used to establish secure communications with the command-and-control server.

The malware sends system details, hardware fingerprints, user data, and crypto wallet extensions to the command and control (C2) server.

Afterward, it waits silently for further commands, potentially allowing the attacker to deploy additional plugins to expand functionality.

Related Posts:

• New malware automatically detects computer configuration to determine mining or crypting
• Global Crackdown: DoJ Seizes Crypting Services in Major Cybercrime Bust
• HORUS Protector: The New Undetectable Malware Crypter Threatening Cybersecurity
• Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware
• Ghost Plugin Plagues Over a Million Terminals, Hijacking Search Results and User Data