Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
CTEM and advisory programs that identify security gaps and build proactive strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level MDR from eSentire
Next Level MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On April 24th, SAP disclosed a maximum severity vulnerability impacting SAP NetWeaver systems. The vulnerability was initially reported to SAP by researchers from…
Apr 01, 2025THE THREAT As of April 1st, 2025, eSentire has identified suspected exploitation of the critical CrushFTP authentication bypass vulnerability CVE-2025-2825. On…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Throughout 2024 and 2025, eSentire's Threat Response Unit (TRU) has conducted extensive surveillance of Pure Crypter, a malware-as-a-service (MaaS) loader that has emerged as the preferred choice for diverse threat actors targeting Windows-based systems.
The loader has been particularly prevalent in deploying information stealers such as Lumma and Rhadamanthys, primarily utilizing the ClickFix initial access vector. With the release of Windows 11 24H2, Microsoft attempted to crack down on malware loaders by preventing Process Hollowing based injection.
However, Pure Crypter's developers, along with other malware authors, found an elementary bypass by simply patching the NtManageHotPatch API in memory.
The widespread adoption of Pure Crypter across multiple industries signifies its strategic importance in the current threat landscape. In response, this technical analysis serves two primary objectives:
Pure Crypter is marketed on hacking forums, primarily Hackforums[.]net, where the vendor 'PureCoder' sells the malware through tiered subscriptions: $159 for three months, $399 for one year, or $799 for lifetime access (Figure 1).
The distribution of Pure Crypter is facilitated through an automated Telegram channel, @ThePureBot. This distribution platform serves as a centralized marketplace for the broader Pure malware suite, which encompasses:
The automated system streamlines the procurement and delivery process for threat actors seeking access to these malicious tools.
Following the purchase of Pure Crypter, customers receive automated updates via @ThePureBot containing antivirus detection analytics from avcheck[.]net. This platform is preferred by crypter developers for its discrete scanning capabilities, as it does not share analyzed samples with antivirus or EDR vendors—a practice that would otherwise increase detection rates.
The dissemination of these scan results serves a dual purpose: marketing effectiveness and operational validation. The results demonstrate Pure Crypter's ability to generate "FUD" (Fully UnDetected) payloads, a critical metric for threat actors seeking to maximize successful execution rates on target systems. This capability is particularly valuable in the malware marketplace, as lower detection rates correlate directly with higher successful infection rates on victim endpoints.
Analysis of avcheck[.]net results, as illustrated in the figure below, indicates zero detections across AV/EDR platforms for the crypted sample. However, our research reveals significant discrepancies between these marketed results and real-world detection rates.
Through empirical testing, we uploaded multiple samples of new Pure Crypter stubs to VirusTotal for comparative analysis. The findings demonstrated that even with newly generated stubs, a minimum of 20 AV/EDR solutions successfully detected the malware.
This substantial disparity leads to two critical conclusions:
Prior to purchasing Pure Crypter, users are required to acknowledge a Terms of Service (ToS) agreement, as shown in the figure below. This ToS requirement serves a specific purpose within the operational context of Hackforums[.]net, where the explicit sale of malicious software is prohibited.
The implementation of this ToS agreement appears to be a calculated measure by PureCoder to maintain their presence on Hackforums[.]net while circumventing the platform's restrictions on malicious software distribution. This procedural formality demonstrates the vendor's attempt to establish a veneer of legitimacy, despite the tool's intended malicious purpose.
The PureCrypter graphical user interface (GUI) can be seen in the figures below and provides an intuitive environment for payload manipulation. The interface facilitates payload loading through two primary vectors: direct file system access or URL-based retrieval.
Usage limitations are implemented through a quota system:
This quota system appears to be designed to prevent abuse while maintaining service availability for the intended userbase. The streamlined interface reduces technical barriers to entry, enabling users to conduct packing operations without extensive technical expertise.
As illustrated in the figure below, PureCrypter's configuration interface presents users with an extensive array of evasion and persistence options designed to enhance payload efficacy. A non-exhaustive list of some of the available features include:
These modular options enable users to implement multiple layers of defense evasion and detection avoidance techniques within the packed payload. Each feature can be selectively enabled to create customized evasion profiles based on the target environment.
In early stages of the unpacking process, the Pure Crypter stub loads/decrypts an assembly that handles storing of decrypted strings in the application domain cache via the AppDomain.SetData() method.
This assembly also serves to bypass dynamic string resolution by tools like SimpleAssemblyExplorer, however simply renaming the assembly in a tool like DnSpyEx and saving changes is enough to bypass this check. After the SetData() method is called, GetData() is used throughout to resolve decrypted strings via index on an as-needed basis.
The main method of Pure Crypter begins with decrypting, decompressing, and deserializing a byte array that contains the malware configuration as a Protobufs-serialized message. This configuration stores several booleans that determine whether or not to execute optional methods, as well as strings used throughout and encrypted/compressed payloads.
After deserializing the malware configuration, several optional methods are called, beginning with preventing multiple instances of the loader from running at the same time via mutex. The name of the mutex is specified by a string variable specified in the malware configuration.
The next optional method called executes several checks against virtual machines, usernames, and loaded modules.
The first uses CheckRemoteDebuggerPresent() API to determine if the process is being debugged:
The next checks if the parent process is cmd.exe (Command Prompt):
The next checks use WMI queries “select * from Win32_BIOS” and “select * from Win32_ComputerSystem” searching for strings matching the regular expression, “VMware|VIRTUAL|A M I|Xen”:
This is followed by checks against loaded modules matching “SbieDll.dll” (Sandboxie DLL), and “cuckoomon.dll” (Cuckoo Sandbox DLL):
The final check involves checking if the height/width of the monitor is 1440 x 900 or 1024 x 768 (or less) and usernames: “john”, “anna”, and “xxxxxxxx”:
The next optional method disables the internet via the LOLBin ipconfig.exe. The purpose of this method is to prevent AV/EDR from communicating with their backend, whereby uploading the sample for analysis.
The optional Execution Delay feature makes use of the Windows API SleepEx to wait for a specified number of seconds.
There are two options in Pure Crypter to disable AMSI:
The first technique involves patching the AmsiScanBuffer API in memory with the following bytes:
B8 57 00 07 80 C3
B8 57 00 07 80 C2 18 00
The next AMSI bypass technique involves patching the EtwEventWrite API in memory with the following bytes:
C3
C2 14 00
The next optional method is the “Dll Unhooking” feature within Pure Crypter, which serves to load “clean” copies of kernel32.dll (Windows 10 or higher) and ntdll.dll, effectively bypassing any hooks already put in place by AV/EDR.
The next optional method makes use of PowerShell to add an exclusion to Windows Defender, effectively causing Windows Defender to ignore the loader and/or persisted loader executable.
The next optional method supports running arbitrary PowerShell command supplied by the threat actor:
The next methods handle persistence, where persistence is achieved by writing the loader into a specified directory from the config and then setting up persistence via Run key, scheduled task, or VBScript (.vbs) in the user’s startup folder.
Junk data around 260 – 300 MB may also be applied to the file if configured. This is an optional setting but would effectively cause issues with AV/EDR as they have file size limitations on uploads to their backend.
The next optional method corresponds to the “Anti File Delete” feature in Pure Crypter. This technique involves opening a file handle with FILE_SHARE_READ permissions only and having explorer.exe receive the handle via the Windows API DuplicateHandle().
Pure Crypter supports three methods for executing a payload, which are described below.
“Reflection” - This method supports only .NET PE files, which are loaded and invoked as shown in the figure below.
“RunPE” - RunPE , also known as Process Hollowing, is a process injection technique that involves creating a process in a suspended state, unmapping the main section, overwriting it, setting thread context, and resuming the thread. This is accomplished via the Windows APIs: GetThreadContext, ReadProcessMemory, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, and NtResumeThread.
The figure below displays the logic used to determine if the victim machine is on build 26100 (24H2) or newer. This is a new addition to Pure Crypter and was added in January 2025 due to changes in Windows 24H2 that effectively prevents process hollowing.
If the victim machine was in fact 24H2 or newer, the Windows API NtManageHotPatch is patched in memory for process hollowing to succeed. The bytes used in the patching process and other information about this technique are described in depth by security researcher Hasherezade in her blog post here.
Parent process spoofing is handled by the method shown in the figure below, which calls the following APIs:
“Shellcode” - Shellcode is written to memory and executed via the following Windows API calls:
We developed a tool known as PureCrypterPunisher to automate the process of extracting payloads, the Protobufs-based malware configuration, and string decryption/writing a new assembly that can be reversed easily. The tool is available for download here.
The figure below shows the tool’s usage instructions. Note, you will need to run other tooling first, such as .NET Reactor Slayer (un-check Decrypt Resources) and other tooling like de4dot first prior to using this tool.
An annotated sample of the Protobufs-based malware configuration values can be seen in the figure below.
The eSentire Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts retroactive threat hunts to assess customer impact.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.