Stealthy Dual Malware Loader Uncovered: Executes TorNet & PureHVNC Simultaneously, Cloaked by MurmurHash2

Researchers from the Internet Initiative Japan (IIJ) have analyzed a previously unknown malware loader that can simultaneously execute two distinct malware families — TorNet and PureHVNC — while employing uncommon obfuscation and hashing techniques.

According to the report by Naoki Takayama, “Around May 2025, a ZIP file containing multiple files, including a newly discovered malware loader, was uploaded to VirusTotal. This loader had several characteristics not often seen in other malware loaders, such as its ability to execute two malware families (TorNet and PureHVNC) and its implementation of API hashing with MurmurHash2.”

This dual-execution behavior, combined with advanced persistence mechanisms and cryptographic obfuscation, suggests a sophisticated evolution in loader design likely intended for long-term stealth operations.

The infection begins when a user executes what appears to be a legitimate program extracted from the malicious ZIP archive.

Inside the ZIP, the attackers included both legitimate and hidden files. All files except the benign executable were marked with hidden and system attributes, ensuring they wouldn’t appear in Windows Explorer.

Once the executable is launched, it performs DLL sideloading by loading a malicious file named version.dll. The report explains:

“When the legitimate executable is run, it will load a malicious DLL file called version.dll prepared by the attacker through DLL sideloading. The original version.dll has been renamed to npHPReader64.dll.”

The malicious DLL acts as both a proxy (forwarding legitimate calls) and a loader, injecting the TorNet and PureHVNC components into other processes.

Persistence is achieved by copying itself into the %LOCALAPPDATA%\npHPReader64 directory and creating a Run key entry at:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

with a value referencing the newly copied executable.

Takayama writes, “Once the loader is executed, it registers the automatic execution setting in the registry to achieve malware persistence.”

One of the loader’s defining technical traits is its use of the MurmurHash2 algorithm for API hashing — a technique rarely seen in loaders of this type.

In contrast to standard SHA1 or CRC32 implementations, MurmurHash2 offers faster computation and stronger resistance to straightforward static analysis.

“This loader uses an algorithm called MurmurHash2, with seed value 0xB801FCDA, to hash API function and DLL file name,” the report explains. “API hashing using MurmurHash2 is also implemented in well-known infostealer malware ‘LummaStealer,’ but its implementation in this type of loader had not been observed before.”

IIJ researchers even released an IDAPython script to automatically resolve API names from the hashed values used by the malware, a useful tool for reverse engineers studying similar threats.

The loader’s payloads are stored internally in an AES-128-ECB encrypted and LZMA-compressed format. Two different AES keys are used — one for each of the embedded malware components:

• TorNet loader key: 37C1FF3236DD4989153CCAC2CA712192
• PureHVNC loader key: 6CB15D6A5C9AB4C2B2885FF35836892A

Once decrypted and decompressed, the loader spawns a suspended process of jsc.exe (part of Microsoft’s .NET Framework) using CreateProcessA, then writes the payloads into its memory via WriteProcessMemory.

Execution resumes with SetThreadContext and ResumeThread, effectively injecting the malware into a trusted Windows binary.

The first payload, TorNet, acts as a downloader communicating exclusively through the TOR network.

After execution, TorNet decodes its Base64-encoded configuration, downloads a TOR client to a temporary directory, and launches it as a SOCKS proxy on port 9050. Through this proxy, it communicates with a remote C2 server, receiving additional payloads that are DES3-encrypted and GZip-compressed before being executed in memory.

The second payload, PureHVNC, is a commercial remote access trojan (RAT) that provides full control over an infected system.

After Base64-decoding and decompressing its configuration, PureHVNC connects to its command-and-control (C2) infrastructure, sending system details via API and WMI queries.

PureHVNC can execute commands, log keystrokes, and transmit screenshots. Earlier variants reportedly stored payloads in the Windows Registry, but this version omits that feature to avoid forensic recovery.

Related Posts:

• TorNet: A New Backdoor That Uses TOR to Anonymize C2 Communication
• New Phishing Campaign Deploys PureHVNC and Other Malware, Targets Sensitive Data
• PureHVNC RAT Spreads Through Fake Job Offers and Multi-Stage Obfuscation
• Acronis TRU Uncovers Surge in ScreenConnect Abuse with Dual-RAT Deployment
• PureHVNC RAT: Inside the HVNC Malware and the PureCoder Ecosystem