Sophisticated Malware Targets US Accounting Firm

Uploaded on 2025-07-22 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

A new cyber threat has emerged, targeting a US-based certified public accounting firm with a sophisticated attack, as detailed in a recent report by the Threat Response Unit (TRU) at eSentire.

The attack deployed a novel crypter named “Ghost Crypt” to deliver the PureRAT malware, using an advanced obfuscation and a technique dubbed “Process Hypnosis.”

This campaign highlights the evolving tactics of cyber criminals and highlights the need for robust cybersecurity measures.

Deceptive Entry Point

The attack began with a cunning social engineering tactic. The threat actor, posing as a new client, sent a PDF containing a link to a Zoho WorkDrive folder hosting malicious ZIP files. To ensure execution, the attacker contacted the victim, creating urgency by requesting immediate extraction and execution of the file. The ZIP archive contained a disguised executable with a double extension (.pdf.exe) and a renamed DLL, which, when executed, decrypted and injected PureRAT into the legitimate Windows binary csc.exe.

This deceptive approach exemplifies the growing reliance on social engineering to bypass initial security defences.

Ghost Crypt: A New Crypter on the Block

Ghost Crypt, advertised on Hackforums since April 2025, is a crypter designed to evade major antivirus solutions. It employs a custom variant of the ChaCha20 encryption algorithm and supports sideloading of both EXE and DLL files. The crypter’s primary function is to obfuscate and deliver malicious payloads, making detection challenging. In this attack, Ghost Crypt facilitated the injection of PureRAT, a Remote Access Trojan (RAT) first observed in January 2023, which has seen a surge in infections throughout 2025.

The crypter’s ability to bypass security measures demonstrates its appeal to cyber criminals.

Process Hypnosis: Stealthy Injection Technique

The attack’s standout feature was the use of “Process Hypnosis,” a novel injection method that enhances stealth. The malware initiates by calling the CreateProcessW API with the DEBUG_ONLY_THIS_PROCESS flag, opening the target process in debug mode to prevent external debugging. It then uses VirtualAllocEx to allocate memory with Read, Write, and Execute (RWX) permissions, writing the PureRAT payload into the csc.exe process using WriteProcessMemory. The technique culminates with SetThreadContext to redirect the main thread’s entry point to the PureRAT loader, followed by DebugActiveProcessStop to resume execution.

This method effectively cloaks the malware, complicating detection by security tools.

PureRAT’s Malicious Capabilities

PureRAT, the successor to PureHVNC, is marketed by the underground vendor PureCoder and distributed via an automated Telegram channel, @ThePureBot. The malware targets sensitive data, scanning for cryptocurrency wallets like Ledger Live, Exodus, and Atomic Wallet, as well as browser extensions and messaging apps like Telegram.

Once installed, it establishes persistence through registry key entries and communicates with command-and-control (C2) servers to exfiltrate system details, user data, and hardware fingerprints. PureRAT’s ability to await further instructions, including plugin deployment, enhances its versatility, making it a potent tool for data theft and system compromise.

An Evolving Threat

The attack reflects broader trends in the cyber crime ecosystem. PureCoder, previously known for PureHVNC, has integrated its features into PureRAT, which is now their flagship offering. The malware is packed with .NET obfuscators like Eazfuscator.NET and .NET Reactor, using AES-256 and GZIP compression for added evasion. Additionally, the campaign leveraged legitimate software, such as Haihaisoft’s hpreader.exe, for DLL sideloading, highlighting the challenge of distinguishing benign tools from malicious ones.

The use of direct memory injection and API calls like SetThreadExecutionState to prevent system sleep further demonstrates the attack’s sophistication.

Defensive Measures

eSentire recommends several countermeasures to combat such threats.

  • Organisations should deploy Endpoint Detection and Response (EDR) solutions to detect and contain malicious activities.
  • Regular employee training on recognising social engineering tactics, such as urgent requests from unfamiliar sources, is crucial.
  • Additionally, implementing multi-factor authentication, restricting access to commands like osascript, and using Next-Gen Antivirus (NGAV) can bolster defences. eSentire’s PureCrypterPunisher tool aids in unpacking and analysing Pure Crypter samples, offering security teams valuable insights.

This attack demontrates the growing complexity of cyber threats, with tools like Ghost Crypt and PureRAT exploiting both technical vulnerabilities and human trust. As cybercriminals refine their tactics, businesses must prioritise proactive cybersecurity to safeguard sensitive data and maintain operational integrity.

eSentire  |  eSentire  |   InfoSecurity Magazine  |  

Image: Xavier Cee

You Might Also Read: 

Hackers Use Windows Backdoor To Deliver BadSpace:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Why Choosing The Right Business Internet Services Matters
The New Face Of Phishing »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DataVisor

DataVisor

DataVisor is a big data fraud detection and anti-money laundering solution.

OpenSphere

OpenSphere

OpenSphere is an IT company providing security consultancy, information system risk management and security management services.

Alliance for Cyber Security (ACS)

Alliance for Cyber Security (ACS)

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

Ubisecure

Ubisecure

Ubisecure provide Identity & Access Management solutions.

Beta Systems Software

Beta Systems Software

Beta Systems automate IT-based business processes, control access rights, monitor processes, secure the network and optimize the infrastructure management of corporate IT.

IGX Global

IGX Global

IGX Global is a provider of information network and security integration services and products.

Mako Networks

Mako Networks

The Mako System is an award winning networking and security service designed specifically for SMEs and branch offices of larger organisations.

Telecommunications Industry Association (TIA)

Telecommunications Industry Association (TIA)

TIA works to secure trust in networks by advocating public policy positions on the security of ICT equipment and services related to critical infrastructure, supply chain and information sharing.

Hellenic Accreditation System (ESYD)

Hellenic Accreditation System (ESYD)

ESYD is the national accreditation body for Greece. The directory of members provides details of organisations offering certification services for ISO 27001.

Cypherix

Cypherix

Cypherix is tightly focused on cryptography and data security. We leverage our expertise to deliver state-of-the-art, world-class encryption software packages.

eXate

eXate

eXate provides pioneering technology that empowers organisations to protect, control and manage their sensitive data centrally, providing a complete data privacy solution.

Senteon

Senteon

Senteon is a turnkey cybersecurity platform designed to make securing confidential data affordable, understandable, and streamlined for small-to-mid sized businesses and MSPs.

Commonwealth Scientific & Industrial Research Organisation (CSIRO)

Commonwealth Scientific & Industrial Research Organisation (CSIRO)

CSIRO is Australia's national science agency. We solve the greatest challenges through innovative science and technology.

Converged Communication Solutions

Converged Communication Solutions

Converged is an independent Internet Service Provider, telephony, IT support and security specialist.

Surf Security

Surf Security

SURF Security has transformed the browser into your strongest security asset while providing complete end-user privacy – all with full compliance.

St Fox

St Fox

St. Fox is a leading consultancy helping enterprises secure their Cloud, Data, endpoints, and applications.