Threat Response Unit

Ghost Crypt Powers PureRAT with Hypnosis

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

eSentire Threat Response Unit (TRU)

July 17, 2025

10 MINS READ

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In May 2025, eSentire's Threat Response Unit (TRU) detected an attack targeting a certified public accounting firm in the United States. The attack utilized a new crypter called “Ghost Crypt” alongside multiple layers of obfuscation to deliver and execute PureRAT malware. PureRAT is a Remote Access Trojan (RAT) malware first observed in Hackforums on January 2023 and has seen a significant surge in infections in 2025.

Initial access was gained through social engineering, where the threat actor impersonated a new client and sent a PDF containing a link to a Zoho WorkDrive folder containing malicious zip files. The attacker also created a sense of urgency by calling the victim and requesting that they extract and execute the file immediately.

The malicious file contained a DLL encrypted with the “Ghost Crypt” crypter, which performed process hypnosis injection of PureRAT into the legitimate Windows binary csc.exe. Figure 1 illustrates the attack flow.

Figure 1 - Attack Flow Diagram
Figure 1 - Attack Flow Diagram

Ghost Crypt Service

As seen in Figure 2, Ghost Crypt was first advertised on hackforums on April 15, 2025, by the user “ghostcrypt” (a new account created in April 2025). The service offers advanced crypting and sideloading capabilities, with support to pack both EXE and DLL files.

Figure 2 - GhostCrypt Service Advertisement on HackForums
Figure 2 - GhostCrypt Service Advertisement on HackForums

According to the advertisement, Ghost Crypt provides:

Figure 3 - Kleenscan scan results with 0 hits (hxxps[:]//kleenscan[.]com/scan_result/2d8af5c8db0b34dab78d7e631f25efdec6fafc5d3e33c42b47e97c7abe39b599)
Figure 3 - Kleenscan scan results with 0 hits (hxxps[:]//kleenscan[.]com/scan_result/2d8af5c8db0b34dab78d7e631f25efdec6fafc5d3e33c42b47e97c7abe39b599)

Initial Access

Initial access was achieved when the threat actor, posing as a new client, sent a malicious PDF to the victim (Figure 4). The PDF contains a link to a Zoho WorkDrive URL (zohoexternal[.]com). This URL is part of Zoho’s cloud-based file sharing and collaboration platform, allowing users to securely share and download files over the internet.

When the victim clicked the link, the zip archive was downloaded containing various files such as License copy, tax documents, along with an executable file with a double extension: <filename>.pdf.exe and the malicious DLL.

Figure 4 - <Redacted>.pdf containing link to Zoho WorkDrive
Figure 4 - <Redacted>.pdf containing link to Zoho WorkDrive

Visiting that Link Downloads “<Redacted>_File (3).zip” which contains multiple files including Driving License and Tax Document (Figure 5 and Figure 6) potentially to gain credibility.

Figure 5 – Content of zip archive
Figure 5 – Content of zip archive
Figure 6 – Attached License and Tex Document
Figure 6 – Attached License and Tex Document

1040_Scan__<Redacted>_Files_Organizer2024_<Redacted>_Tax_Organizer___2024.pdf[.]exe was legitimate file “hpreader.exe” version 1.5.7.0 by “Haihaisoft Limited”. This executable was used to sideload the malicious DLL, which was originally named “oledlg.dll” but had been renamed to “CriticalUpdater0549303.dll”.

To maintain access, the malicious DLL copies itself to “C:\Users\<username>\Documents\” folder and establishes persistence by creating an entry in the Windows Registry Key to ensure DLL is launched each time users log in.

Figure 7 - Registry Run Key entry for Persistence
Figure 7 - Registry Run Key entry for Persistence

Ghost Crypt Analysis

Ghost Crypt employs a modified ChaCha20 algorithm to decrypt the payload stored in oledlg.dll. This custom implementation differs from standard ChaCha20 in three ways:

  1. Uses a non-standard magic constant
  2. Implements a 12-byte null nonce
  3. Uses a null counter value
  4. The encryption key is modified by incrementing the fifth double word (DWORD) in each state matrix.
Figure 8 - Custom ChaCha20 state matrix used in decryption
Figure 8 - Custom ChaCha20 state matrix used in decryption

After decrypting the payload, it uses an injection technique known as “Process Hypnosis” beginning by calling the CreateProcessW API with dwCreationFlags set to DEBUG_ONLY_THIS_PROCESS (0x00000002). This flag opens the target process in debug mode, as illustrated in the figure below. This technique effectively prevents debugging the child process as it is already being debugged.

Figure 9 - Process Hacker showing process is being debugged
Figure 9 - Process Hacker showing process is being debugged

Once the process is running in debug mode, the malware uses VirtualAllocEx to allocate memory within the child process. The memory permissions are then modified using VirtualProtectEx to grant Read, Write, and Execute (RWX) access. As shown in Figure 10, a 344 kB payload is allocated with RWX permissions.

Figure 10 - Allocated memory region with RWX permissions
Figure 10 - Allocated memory region with RWX permissions

The malware then proceeds to write the PureRAT payload into the victim processes address space using WriteProcessMemory:

Figure 11 – PureRAT payload resident in address space of csc.exe
Figure 11 – PureRAT payload resident in address space of csc.exe

WriteProcessMemory is called once more to patch the ZwManageHotpatch function with 32 bytes of data, a technique highlighted in hasherezade’s blog for bypassing safeguards put in place by Microsoft to prevent process injection on Windows 11 24H2+.

Figure 12 - Patched ZwManageHotPatch Function
Figure 12 - Patched ZwManageHotPatch Function

Finally, the malware uses SetThreadContext to update the EAX register, which stores the entrypoint of the main thread, and changes it to point to the PureRAT loader. Lastly, the DebugActiveProcessStop API is called resume execution of PureRAT.

Figure 13 - SetThreadContext API Execution
Figure 13 - SetThreadContext API Execution

PureCoder, the Seller Behind PureHVNC, Now Focuses on PureRAT

The figure below displays an older screenshot of PureCoder's vendor site compared to the updated site. The older version previously offered PureHVNC, but this product is no longer available for sale. PureCoder has since incorporated PureHVNC's features into PureRAT, which is now their main product offering.

Figure 14 - PureCoder Site Comparison (PureHVNC vs. PureRAT)
Figure 14 - PureCoder Site Comparison (PureHVNC vs. PureRAT)

PureRAT Analysis

After dumping the main executable, the next stage involves a binary named “Kolaidqv.exe”. This .NET-based executable is obfuscated using Eazfuscator.NET but can be easily deobfuscated with open-source tooling like EazFixer. A before-and-after comparison can be seen in the figure below, illustrating the effectiveness of using open-source tools for easing the reverse engineering process.

Figure 15 - Before and After EazFixer Deobfuscation
Figure 15 - Before and After EazFixer Deobfuscation

Focusing on the \u0003() method of the \u0008\u2009 class, we observe a series of operations:

Figure 16 - GZIP and AES Decryption Code
Figure 16 - GZIP and AES Decryption Code
Figure 17 - AES Key and IV Extraction
Figure 17 - AES Key and IV Extraction
Figure 18 - Skipping First 4 Bytes (GZIP Decompression)
Figure 18 - Skipping First 4 Bytes (GZIP Decompression)

To streamline analysis, we prepared a CyberChef recipe to automate the decryption/decompression process (see CyberChef Figure 19 for the full workflow).

CyberChef Query:
AES_Decrypt({'option':'Base64','string':'MXqPC2prcwFkxWlCpYq7WP6flqNNS/jp30pso2H4REY='},{'option':'Base64','string':'8K3sq/Koi79bsIFDr9ApfQ=='},'CBC','Hex','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})

Drop_bytes(0,4,false)

Gunzip()

Figure 19 - CyberChef Recipe for Payload Decryption/Decompression
Figure 19 - CyberChef Recipe for Payload Decryption/Decompression

The next stage is another .NET binary, but this time it’s a DLL. Unlike typical malware, this DLL is not executed via rundll32 or regsvr32. Instead, the initial binary contains a hardcoded class and method names, which serve as the entry point for executing the DLL. The DLL is loaded via the Assembly.Load method, the Type/Method for PureRAT are resolved, and the Delegate.CreateDelegate method is called to invoke the method.

Figure 20 - Hardcoded Class and Method Entry Point for DLL
Figure 20 - Hardcoded Class and Method Entry Point for DLL

The DLL is packed with .NET Reactor which is common among other malware distributed by PureCoder, and can be unpacked using tools like NetReactorSlayer. Once unpacked, the binary loads and decompresses an embedded GZIP-compressed, base64-encoded payload. This payload is then cast and used to load an X.509 certificate into memory (see Figure 21 and Figure 22 for the embedded certificate, decrypted C2 information, and mutex details).

Figure 21 - Embedded X.509 Certificate and C2 Details
Figure 21 - Embedded X.509 Certificate and C2 Details
Figure 22 – Decoded Embedded X.509 Certificate and C2 Details
Figure 22 – Decoded Embedded X.509 Certificate and C2 Details

Parsed X.509 Certificate:

Version: 3 (0x02)
Serial number: 1071913861427099792278749970483054303 (0x00ce716f065359815a313d6a140b06df)
Algorithm ID: SHA512withRSA
Validity
Not Before: 31/03/2025 17:39:19 (dd-mm-yyyy hh:mm:ss) (250331173919Z)
Not After: 31/12/9999 23:59:59 (dd-mm-yyyy hh:mm:ss) (99991231235959Z)
Issuer
CN = Wggrtlfl
Subject
CN = Wggrtlfl
Fingerprints
MD5: 3de14ad7e90355527282d3da369815a2
SHA1: 9add49745b6fb5002aa89f79ef549f3bfaa8203d
SHA256: cbbda2edde38162e49f7578512c015640392342a26ea0e5cd90705bb66a7ba81
Public Key
Algorithm: RSA
Length: 4096 bits
Modulus: <Redacted Included in IOCs>
Exponent: 65537 (0x10001)
Certificate Signature
Algorithm: SHA512withRSA
Signature: <Redacted Included in IOCs>
Extensions
subjectKeyIdentifier :
0aa68f69f3a2c9d4fa54c3978e9b8eb66daef88b
basicConstraints CRITICAL:
cA=true

The malware uses the SetThreadExecutionState API with the flags : ES_CONTINUOUS, ES_SYSTEM_REQUIRED, and ES_DISPLAY_REQUIRED (0x80000003 ). This informs the system that the thread is in use, preventing the system from sleeping or turning off the display.

Figure 23 - SetThreadExecutionState API Usage
Figure 23 - SetThreadExecutionState API Usage

Upon establishing a connection, the malware collects and sends a wealth of information to the Command and Control (C2) server, including:

The malware specifically targets Chrome extensions related to crypto wallets:

These extensions are checked across the following Chromium-based browsers:

Chromium, Chrome, Brave, Edge, QQBrowser, ChromePlus, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements, Epic Privacy, Uran, Sleipnir5, Citrio, Coowon, liebao, QIP Surf, Orbitum, Dragon, Amigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Chromodo, Atom

In addition to targeting browser extensions, the malware scans the system for desktop cryptocurrency applications. It specifically searches for installation and data folders belonging to messaging apps like Telegram and cryptocurrency wallets such as Ledger Live, Exodus, and Atomic Wallet.

This PureRAT infection closely resembles the tactics described by Fortinet in their article on PureHVNC. After gathering all the specified information including system details, hardware fingerprints, user data, and crypto wallet extensions, the malware sends this data to the command and control (C2) server.

The malware then awaits further instructions, which typically include loading additional plugins for expanded functionality. Unfortunately, we were unable to capture any plugin payloads during our investigation.

What can you learn from this TRU Positive?

Recommendations from the Threat Response Unit (TRU)

Indicators of Compromise

References

To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level MDR, connect with an eSentire Security Specialist now.

GET STARTED

ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Back to blog

Take Your Cybersecurity Program to the Next Level with eSentire MDR.

BUILD A QUOTE

Read Similar Blogs

EXPLORE MORE BLOGS