eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Recommendations from the Threat Response Unit (TRU):
References
Key takeaways:
Pure Crypter is a sophisticated malware-as-a-service (MaaS) loader that's being widely used by threat actors and is distributed through an automated Telegram channel.
The malware employs multiple evasion techniques including AMSI bypass, DLL unhooking, anti-VM detection, anti-debugging measures, and recently added capabilities to bypass Windows 11 24H2 security features through NtManageHotPatch API patching.
The developers use deceptive marketing tactics by promoting "Fully UnDetected" (FUD) status based on avcheck[.]net results, while VirusTotal shows detection by multiple AV/EDR solutions, revealing significant discrepancies in detection rates.
eSentire developed an automation tool called PureCrypterPunisher that helps security researchers automate the unpacking process, extract malware configurations, and decrypt embedded strings from Pure Crypter samples for better analysis and detection capabilities.
What did we find?
Throughout 2024 and 2025, eSentire's Threat Response Unit (TRU) has conducted extensive surveillance of Pure Crypter, a malware-as-a-service (MaaS) loader that has emerged as the preferred choice for diverse threat actors targeting Windows-based systems.
The loader has been particularly prevalent in deploying information stealers such as Lumma and Rhadamanthys, primarily utilizing the ClickFix initial access vector. With the release of Windows 11 24H2, Microsoft attempted to crack down on malware loaders by preventing Process Hollowing based injection.
However, Pure Crypter's developers, along with other malware authors, found an elementary bypass by simply patching the NtManageHotPatch API in memory.
The widespread adoption of Pure Crypter across multiple industries signifies its strategic importance in the current threat landscape. In response, this technical analysis serves two primary objectives:
Provides a comprehensive examination of Pure Crypter's architectural components.
Introduces a specialized automation tool developed by eSentire that enables security researchers to:
Automate the unpacking process
Extract malware configurations
Decrypt embedded strings from Pure Crypter samples
Distribution and Pricing
Pure Crypter is marketed on hacking forums, primarily Hackforums[.]net, where the vendor 'PureCoder' sells the malware through tiered subscriptions: $159 for three months, $399 for one year, or $799 for lifetime access (Figure 1).
Figure 1 – Pure Coder’s sales thread on HackForums[.]net
The distribution of Pure Crypter is facilitated through an automated Telegram channel, @ThePureBot. This distribution platform serves as a centralized marketplace for the broader Pure malware suite, which encompasses:
Pure Miner
Pure RAT (Remote Access Trojan)
Pure Logs Stealer
Pure Clipper
Blue Loader
The automated system streamlines the procurement and delivery process for threat actors seeking access to these malicious tools.
Figure 2 – @ThePureBot telegram bot that facilitates distribution
Following the purchase of Pure Crypter, customers receive automated updates via @ThePureBot containing antivirus detection analytics from avcheck[.]net. This platform is preferred by crypter developers for its discrete scanning capabilities, as it does not share analyzed samples with antivirus or EDR vendors—a practice that would otherwise increase detection rates.
The dissemination of these scan results serves a dual purpose: marketing effectiveness and operational validation. The results demonstrate Pure Crypter's ability to generate "FUD" (Fully UnDetected) payloads, a critical metric for threat actors seeking to maximize successful execution rates on target systems. This capability is particularly valuable in the malware marketplace, as lower detection rates correlate directly with higher successful infection rates on victim endpoints.
Figure 3 – Scan results disseminated by @ThePureBot
Deceptive Marketing
Analysis of avcheck[.]net results, as illustrated in the figure below, indicates zero detections across AV/EDR platforms for the crypted sample. However, our research reveals significant discrepancies between these marketed results and real-world detection rates.
Through empirical testing, we uploaded multiple samples of new Pure Crypter stubs to VirusTotal for comparative analysis. The findings demonstrated that even with newly generated stubs, a minimum of 20 AV/EDR solutions successfully detected the malware.
This substantial disparity leads to two critical conclusions:
The reliability of avcheck[.]net as a detection testing platform is questionable, producing results that do not align with actual detection rates.
The Pure product group appears to be leveraging these misleading results in their marketing strategy, potentially deceiving customers about the crypter's effectiveness to encourage subscription renewals.
Figure 4 – "FUD” scan results from avcheck[.]net
Operational Security Measures
Prior to purchasing Pure Crypter, users are required to acknowledge a Terms of Service (ToS) agreement, as shown in the figure below. This ToS requirement serves a specific purpose within the operational context of Hackforums[.]net, where the explicit sale of malicious software is prohibited.
The implementation of this ToS agreement appears to be a calculated measure by PureCoder to maintain their presence on Hackforums[.]net while circumventing the platform's restrictions on malicious software distribution. This procedural formality demonstrates the vendor's attempt to establish a veneer of legitimacy, despite the tool's intended malicious purpose.
Figure 5 – Pure Crypter ToS agreement
Pure Crypter GUI
The PureCrypter graphical user interface (GUI) can be seen in the figures below and provides an intuitive environment for payload manipulation. The interface facilitates payload loading through two primary vectors: direct file system access or URL-based retrieval.
Usage limitations are implemented through a quota system:
Executable Files (.exe): 30 packing operations per 24-hour period
Alternative Formats (e.g., .vbs): 3 packing operations per 24-hour period
This quota system appears to be designed to prevent abuse while maintaining service availability for the intended userbase. The streamlined interface reduces technical barriers to entry, enabling users to conduct packing operations without extensive technical expertise.
Figure 6 – Pure Crypter Input Payload Menu
As illustrated in the figure below, PureCrypter's configuration interface presents users with an extensive array of evasion and persistence options designed to enhance payload efficacy. A non-exhaustive list of some of the available features include:
These modular options enable users to implement multiple layers of defense evasion and detection avoidance techniques within the packed payload. Each feature can be selectively enabled to create customized evasion profiles based on the target environment.
Figure 7 – Pure Crypter Payload Behavior Menu
Pure Crypter Analysis
In early stages of the unpacking process, the Pure Crypter stub loads/decrypts an assembly that handles storing of decrypted strings in the application domain cache via the AppDomain.SetData() method.
This assembly also serves to bypass dynamic string resolution by tools like SimpleAssemblyExplorer, however simply renaming the assembly in a tool like DnSpyEx and saving changes is enough to bypass this check. After the SetData() method is called, GetData() is used throughout to resolve decrypted strings via index on an as-needed basis.
Figure 8 – Check for dynamic string resolution tools, storing strings in appdomain cache
The main method of Pure Crypter begins with decrypting, decompressing, and deserializing a byte array that contains the malware configuration as a Protobufs-serialized message. This configuration stores several booleans that determine whether or not to execute optional methods, as well as strings used throughout and encrypted/compressed payloads.
Figure 9 – Decrypt and deserialize Protobufs-based malware configuration
After deserializing the malware configuration, several optional methods are called, beginning with preventing multiple instances of the loader from running at the same time via mutex. The name of the mutex is specified by a string variable specified in the malware configuration.
Figure 10 – ”Single Instance” feature that uses Mutex
The next optional method called executes several checks against virtual machines, usernames, and loaded modules.
The first uses CheckRemoteDebuggerPresent() API to determine if the process is being debugged:
Figure 11 – Check if debugger present via CheckRemoteDebuggerPresent API
The next checks if the parent process is cmd.exe (Command Prompt):
Figure 12 – Check if parent process is cmd.exe
The next checks use WMI queries “select * from Win32_BIOS” and “select * from Win32_ComputerSystem” searching for strings matching the regular expression, “VMware|VIRTUAL|A M I|Xen”:
Figure 13 – Check if virtual machine via WMI query against Win32_BIOS classFigure 14 – Check if virtual machine via WMI query against Win32_ComputerSystem class
This is followed by checks against loaded modules matching “SbieDll.dll” (Sandboxie DLL), and “cuckoomon.dll” (Cuckoo Sandbox DLL):
Figure 15 – Check if Sandboxie or Cuckoo sandbox DLL loaded into process
The final check involves checking if the height/width of the monitor is 1440 x 900 or 1024 x 768 (or less) and usernames: “john”, “anna”, and “xxxxxxxx”:
Figure 16 – Screen resolution and username checks
The next optional method disables the internet via the LOLBin ipconfig.exe. The purpose of this method is to prevent AV/EDR from communicating with their backend, whereby uploading the sample for analysis.
Figure 17 – “Disable Internet” feature that uses ipconfig /release
The optional Execution Delay feature makes use of the Windows API SleepEx to wait for a specified number of seconds.
Figure 18 – “Execution Delay” feature that uses SleepEx API
There are two options in Pure Crypter to disable AMSI:
The first technique involves patching the AmsiScanBuffer API in memory with the following bytes:
B8 57 00 07 80 C3
Figure 19 - Instructions used in patching AmsiScanBuffer (64-bit)
B8 57 00 07 80 C2 18 00
Figure 20 - Instructions used in patching AmsiScanBuffer (32-bit)Figure 21 – AMSI bypass by patching AmsiScanBuffer
The next AMSI bypass technique involves patching the EtwEventWrite API in memory with the following bytes:
C3
Figure 22 - Instruction used in patching EtwEventWrite (64-bit)
C2 14 00
Figure 23 - Instruction used in patching EtwEventWrite (32-bit)
Figure 24 – AMSI bypass by patching EtwEventWrite
The next optional method is the “Dll Unhooking” feature within Pure Crypter, which serves to load “clean” copies of kernel32.dll (Windows 10 or higher) and ntdll.dll, effectively bypassing any hooks already put in place by AV/EDR.
Figure 25 – ”DLL Unhooking” feature
The next optional method makes use of PowerShell to add an exclusion to Windows Defender, effectively causing Windows Defender to ignore the loader and/or persisted loader executable.
Figure 26 – Windows Defender exclusion via encoded PowerShell command
The next optional method supports running arbitrary PowerShell command supplied by the threat actor:
Figure 27 – "Run Powershell" feature in Pure Crypter
The next methods handle persistence, where persistence is achieved by writing the loader into a specified directory from the config and then setting up persistence via Run key, scheduled task, or VBScript (.vbs) in the user’s startup folder.
Junk data around 260 – 300 MB may also be applied to the file if configured. This is an optional setting but would effectively cause issues with AV/EDR as they have file size limitations on uploads to their backend.
The next optional method corresponds to the “Anti File Delete” feature in Pure Crypter. This technique involves opening a file handle with FILE_SHARE_READ permissions only and having explorer.exe receive the handle via the Windows API DuplicateHandle().
Figure 30 – “Anti File Delete” feature in Pure Crypter
Pure Crypter supports three methods for executing a payload, which are described below.
“Reflection” - This method supports only .NET PE files, which are loaded and invoked as shown in the figure below.
Figure 31 – ”Reflection” injection feature in Pure Crypter
“RunPE” - RunPE , also known as Process Hollowing, is a process injection technique that involves creating a process in a suspended state, unmapping the main section, overwriting it, setting thread context, and resuming the thread. This is accomplished via the Windows APIs: GetThreadContext, ReadProcessMemory, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and NtResumeThread.
Figure 32 – ”RunPE” injection feature in Pure Crypter
The figure below displays the logic used to determine if the victim machine is on build 26100 (24H2) or newer. This is a new addition to Pure Crypter and was added in January 2025 due to changes in Windows 24H2 that effectively prevents process hollowing.
Figure 33 – Check if Windows 11 24H2 or newer
If the victim machine was in fact 24H2 or newer, the Windows API NtManageHotPatch is patched in memory for process hollowing to succeed. The bytes used in the patching process and other information about this technique are described in depth by security researcher Hasherezade in her blog post here.
Figure 34 – Patch NtManageHotPatch
Parent process spoofing is handled by the method shown in the figure below, which calls the following APIs:
OpenProcess – Acquire handle to parent process to spoof.
InitializeProcThreadAttributeList – Initializes the specified list of attributes for process and thread creation.
UpdateProcThreadAttribute – Updates the parent process attribute.
Figure 35 – Parent process spoofing
“Shellcode” - Shellcode is written to memory and executed via the following Windows API calls:
VirtualAlloc – Allocate memory for shellcode.
Marshall.Copy –- Write shellcode to memory.
VirtualProtect – Change permissions of memory to allow execution.
CreateThread – Create a thread to execute the shellcode.
WaitForSingleObject – Pause execution of current thread for INFINITE.
Figure 36 – “Shellcode” injection technique in Pure Crypter
PureCrypterPunisher
We developed a tool known as PureCrypterPunisher to automate the process of extracting payloads, the Protobufs-based malware configuration, and string decryption/writing a new assembly that can be reversed easily. The tool is available for download here.
The figure below shows the tool’s usage instructions. Note, you will need to run other tooling first, such as .NET Reactor Slayer (un-check Decrypt Resources) and other tooling like de4dot first prior to using this tool.
Figure 37 – PureCrypterPunisher usage
An annotated sample of the Protobufs-based malware configuration values can be seen in the figure below.
Our analysis provides insights into current crypter marketing tactics and Pure Crypter's comprehensive feature set that modern threat actors leverage for malware deployment.
Security researchers can leverage the technical analysis and screenshots to understand Pure Crypter's GUI interface, operational quotas, and payload manipulation capabilities, enabling more effective detection and response strategies.
This also reveals the deceptive marketing practices employed by crypter developers, specifically how avcheck[.]net results are used to misrepresent detection rates.
We further demonstrate the sophisticated distribution infrastructure utilizing Telegram bots (@ThePureBot) for automated delivery, updates, and marketing of the broader Pure malware suite, including Pure Miner, Pure RAT, Pure Logs Stealer, and Blue Loader.
Lastly, this exposes the operational security measures implemented by malware vendors to maintain presence on clear web forums, such as the implementation of Terms of Service agreements to circumvent platform restrictions on malicious software sales.
How eSentire is Responding
The eSentire Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Conducting global threat hunts to identify potential Pure Crypter infections or indicators of compromise across our customer base, ensuring early detection and mitigation of threats.
Maintaining continuous threat intelligence monitoring through our Threat Response Unit (TRU), which allows us to stay ahead of Pure Crypter updates and adapt our MDR for Endpoint and MDR for Network capabilities to address new variants and attack methods.
Developing and implementing custom detection rules and prevention measures across our MDR platform to identify and block Pure Crypter's unique signatures, injection techniques, and associated malicious behaviors.
Our detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.
Recommendations from the Threat Response Unit (TRU):
Disable wscript.exe via AppLocker GPO or Windows Defender Application Control (WDAC):
C:\Windows\System32\WScript.exe
C:\Windows\Syswow64\WScript.exe
*:\Windows\System32\WScript.exe (* represents wildcard to include other drive letter rather than C drive)
*:\Windows\SysWOW64\WScript.exe (* represents wildcard to include other drive letter rather than C drive)
Redirect the default Open With action of suspicious file extensions via GPO “User Configuration > Preferences > Control Panel > Settings” to a benign program like notepad.exe:
Right-click on Folder Options and navigate to New > Open With, type in the file extension to redirect and specify C:\Windows\notepad.exe.
Note, we recommend redirecting the following file extensions: js, jse, vbs, vbe, wsf, hta, and wsh.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
![Figure 1 – Pure Coder’s sales thread on HackForums[.]net](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Pure-Crypter-Malware-Analysis-Figure-1.png)
![Figure 4 – "FUD” scan results from avcheck[.]net](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Pure-Crypter-Malware-Analysis-Figure-4.png)
