A recent cyber-attack on a US-based accounting firm in May 2025 has brought to light the use of a sophisticated crypter known as Ghost Crypt to deliver the PureRAT remote access Trojan. The attack, uncovered by researchers at eSentire’s Threat Response Unit (TRU), involved a combination of social engineering tactics, advanced obfuscation techniques, and a multi-stage malware delivery process.
The perpetrator, masquerading as a prospective client, initiated the attack by sending a malicious PDF document containing a link to a Zoho WorkDrive folder. Within this folder was a ZIP archive disguised as tax documentation, housing a file with a deceptive double extension (.pdf.exe) and a modified DLL. Upon execution, the bundled crypter decrypted and injected PureRAT into the legitimate Windows binary csc.exe.
Ghost Crypt, a crypter advertised on Hackforums since April 2025, boasts features such as bypassing major antivirus solutions, supporting the sideloading of EXE and DLL files, and utilizing a custom ChaCha20 algorithm for encryption. The crypter also employs an injection technique called “Process Hypnosis” to surreptitiously deliver payloads without detection.
To ensure persistence, the attacker added a registry key entry and copied the DLL to the user’s documents folder, further complicating detection and removal efforts.
The Ghost Crypt crypter offers a range of features, including compatibility with Windows 11 24H2+, customizable icons, and support for various malware families like LummaC2, Rhadmanthys, and XWorm. The attack leveraged legitimate software, specifically hpreader.exe by Haihaisoft, for DLL sideloading, underscoring the challenge of differentiating between benign tools and malicious loaders.
The injected PureRAT payload establishes communication with command-and-control (C2) servers, gathering user data, system information, and targeting crypto wallets and desktop applications like Ledger Live and Exodus.
PureRAT, the primary offering from underground seller PureCoder, has supplanted PureHVNC as the preferred malware product. The malware is packed using .NET obfuscators and encrypted with layers of AES-256 and GZIP compression. It employs direct memory injection for loading DLLs, bypassing traditional execution methods.
Following installation, PureRAT scans browsers for crypto wallet extensions, prevents the system from entering sleep mode using SetThreadExecutionState API calls, transmits collected data, and awaits further instructions from its operators.
In light of this attack, eSentire advises organizations to exercise caution when receiving urgent requests from unfamiliar sources, particularly those involving cloud storage links. They recommend enabling file extension visibility, utilizing EDR tools, and verifying the legitimacy of unexpected communications to mitigate the risk of falling victim to similar cyber threats.