PureCrypter is a fully-featured loader being sold since March 2021. While the primary goal of the malware loader is to distribute RATs and information stealers, the operators have added new functionalities to perform more notorious activities.

More about PureCrypter

  • PureCrypter malware loader is being sold by a threat actor that goes by the name ‘PureCoder’.
  • It first appeared in March 2021 and has since been put for sale at a price of $59.
  • Written in .NET language and obfuscated with SmartAssembly, the loader makes use of compression and encryption to evade detection by antivirus software.
  • Its features provide persistence, injection, and defense mechanism that are configurable in Google’s Protocol Buffer message format.

Overview of malware distributed

  • As observed by ThreatLabz, PureCrypter has been used for distributing a variety of malware. This includes AgentTesla, Arkei, AsyncRAT, Azorult, DcRAT, LokiBotStealer, Nanocore, RedLine Stealer, Remcos, Snake Keylogger, and Warzone RAT. 
  • Usually, these malware strains are delivered by PureCrypter in the second stage of the infection process. 

What’s the new update?

  • Its operators have recently updated the features of the malware loader to target more resources.
  • One of these functionalities can enable them to use Telegram as a channel to send malware.  
  • An additional feature includes extra anti-analysis techniques to bypass virtual machines from Microsoft and VMware.


PureCrypter is still under development and is being improved with new capabilities to target more entities. Researchers note that one thing which makes the malware loader stand out is its capability to use Google’s protocol format to make it more difficult for static antivirus engines to detect.  

Cyware Publisher