HeartCrypt
HeartCrypt is a packer-as-a-service (PaaS) obfuscation tool and loader used by multiple threat actors to hinder analysis and deliver additional malware. Reporting cited in the content states that Unit 42 named the loader HeartCrypt in 2024, and Sophos linked numerous campaigns to a shared HeartCrypt service rather than a single actor. HeartCrypt modifies legitimate PE executables and DLLs by injecting position-independent loader code near entry points, overwriting original code, and storing encrypted malicious payloads in added PE resources disguised as bitmap files. The loader is heavily obfuscated, uses anti-emulation checks such as attempting to load nonexistent DLLs and checking emulator-only exports, and commonly protects payloads with XOR encryption using a static ASCII key. Observed APIs used for execution include CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, and CreateRemoteThread.
Across the cited investigations, HeartCrypt was distributed through multiple infection chains, including phishing emails, password-protected ZIP archives hosted on Google Drive or Dropbox, DLL sideloading, and LNK/PowerShell downloaders. Sophos reported thousands of related samples, nearly 1,000 associated C2 servers, and impersonation of more than 200 software vendors, with targeting observed globally and Colombia noted as heavily affected in one dataset. Payloads delivered by HeartCrypt were commonly commodity RATs and stealers, including Lumma Stealer, AsyncRAT, and Rhadamanthys. Sophos also observed HeartCrypt-packed AVKiller payloads in ransomware incidents involving RansomHub and MedusaLocker, including a VMProtect-packed AV killer targeting ESET, HitmanPro, Kaspersky, Sophos, and Symantec products.
The content also links HeartCrypt to several actor ecosystems. It is described as a crypter/packer used by TAG-144 / Blind Eagle alongside PureCrypter and other crypters. A joint advisory cited in the content notes HeartCrypt as an obfuscation tool used by Akira threat actors. Sophos further reported that all observed variants of a new EDR-killer tool used by ransomware gangs including RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC were packed with HeartCrypt.
In a 2025 phishing campaign tracked by Sophos as STAC6405, a HeartCrypt-packed ZIP archive contained HideMouse.exe and 8776_6713.exe. HideMouse.exe replaced the system cursor with a transparent cursor to conceal attacker activity, while the HeartCrypt-packed infostealer delayed execution, injected into csc.exe, contacted 45[.]56.162.138, decrypted an encrypted payload at runtime using a TripleDES helper, and stole browser credentials, session artifacts, cryptocurrency wallet data, host information, security product information via WMI, and imaging/camera device details. Other HeartCrypt infection examples in the content include persistence via copying oversized files to user directories and establishing Windows Run key or rundll32-based startup execution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We ultimately concluded that these cases were all connected to what has come to be known as the HeartCrypt packer-as-a-service (PaaS) operation.
Its tooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”...
Its tooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”...
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThis infection chain starts with a phishing email... The email claims to be from an Italian lawyer contacting the recipient about alleged copyright infringement...
The malicious content was hosted on a Google Drive in a password-protected ZIP archive; the password was included in the phishing email.
When clicked on the link to the PDF document, the following shortened URL is opened... This redirects to the following Dropbox download...
Execution
4 techniquesThis PowerShell command downloads and executes another PowerShell script...
The identified cases of these campaigns... feature a LNK shortcut file, PowerShell, and batch scripts in the infection chain... The second is a downloader batch file...
Persistence
3 techniquesDarkTortilla can use cmd.exe to add registry keys for persistence. HeartCrypt can use the reg add command via cmd.exe for Registry modification. Ryuk has used cmd.exe to create a Registry entry to establish persistence.
It then proceeds to create a run key in the \SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location... This copy is registered to run automatically at each system startup...
Privilege Escalation
3 techniquesIn this case the code uses API functions such as CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, and CreateRemoteThread to load and execute the final payload.
It then proceeds to create a run key in the \SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location... This copy is registered to run automatically at each system startup...
Stealth
8 techniquesCode is highly obfuscated by hundreds of direct jumps and short calls... Junk bytes fill in the gap... The payload is encrypted by a XOR algorithm that uses a key consisting of ASCII characters.
Another, CardSpaceKiller, consistently appears across Akira, Medusa, and MedusaLocker attacks, packed using the VX Crypt packer-as-a-service.
Malware impersonating, subverting, and embedding itself in legitimate software applications... The executable was originally a CCleaner component... The impersonated carrier this time is a standalone Windows executable.
In this case the code uses API functions such as CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, and CreateRemoteThread to load and execute the final payload.
registered for startup with the following command line: rundll32.exe C:\Users\{user}\OneDrive\Documents\AvivaUpdate_0001.dll,EntryPoint
it performs various anti-emulator checks by trying to load nonexistent dynamic link libraries... This sample then uses the anti-emulation technique... retrieving the address of a function exported by kernel32 that only exists in emulators... If either... are successfully resolved, the loader concludes that it is running in an emulated environment and will not perform malicious activities.
The HeartCrypt packer takes legitimate executables and modifies them by injecting malicious code in the .text section. It also inserts a few additional Portable Executable (PE) resources.
Once executed, 8776_6713.exe sits idle for an extended period of time, typically around four to nine minutes, which is a common tactic employed by malware to evade automated sandboxing and heuristic-based detection mechanisms.
Defense Impairment
1 techniqueDiscovery
1 techniqueit performs various anti-emulator checks by trying to load nonexistent dynamic link libraries... This sample then uses the anti-emulation technique... retrieving the address of a function exported by kernel32 that only exists in emulators... If either... are successfully resolved, the loader concludes that it is running in an emulated environment and will not perform malicious activities.
Command and Control
2 techniquesThis PowerShell command downloads and executes another PowerShell script... This script downloads two further files... The downloader batch file... also downloads and executes the final payload...
The process trace indicates that the initial infection could be related to the zero-day RCE exploits... which affected ConnectWise and BeyondTrust products.
Other
1 techniqueIOCs tracked for this family
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A packer-as-a-service tool used to pack payloads and inject malicious code into legitimate binaries during malware development/compilation.
Packer-as-a-service malware used to deliver stealers, RATs, and AVKiller, distributed via phishing emails and LNK files.
Crypter/packer used to obfuscate or protect payloads from detection, as part of TAG-144 tooling.
A packing/obfuscation component used to protect and conceal the EDR-killer payload; the binary is heavily obfuscated and self-decodes at runtime.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.