Go to listing page

PureCrypter Loader Found Infecting Government Entities with Various Malware

PureCrypter Loader Found Infecting Government Entities with Various Malware
The relatively new PureCrypter malware loader is back in action in a new evasion threat campaign, pumping out different trojans and ransomware. Researchers reveal that an unknown threat actor is leveraging the loader to target government entities across the Asia Pacific and North American regions.

Infecting victims

The infection process begins with a phishing email that includes a URL to the Discord app, which hosts the payload.
  • It contains a malicious password-protected ZIP file that causes the download of the PureCrypter loader.
  • Once deployed, the loader uses the domain of a compromised non-profit organization as a C2 server to deliver the secondary payloads.
  • The malware delivered in the second stage include the likes of Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia ransomware.

The goal of the campaign appears to be pilfering a wide range of sensitive information including system details from the victims.

Look back on PureCrypter

While the malware loader was first introduced on the dark web in March 2021, it was observed actively distributing the malware in 2022. 
  • In June 2022, the operators updated the features of the malware loader to target more resources. One of these functionalities included Telegram as a channel to spread the malware.
  • In August 2022, PureCrypter was seen promoting more than 10 different malware families, using hundreds of C2s and IPs. It included the delivery of Raccoon Stealer, in addition to other malware such as AzoRult, Remcos, PureMiner, and PureClipper.

Ending notes

Since the campaign primarily leverages phishing emails, organizations can check for malicious IP addresses and other IOCs associated with the campaign to mitigate threats at the initial stage. Researchers continue to monitor the activities of the latest PureCrypter campaign, meanwhile, it is recommended that government entities take necessary security measures to safeguard their critical infrastructure.
Cyware Publisher