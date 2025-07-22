Social engineering tactics have been employed by attackers impersonating a new client who delivered a nefarious PDF redirecting to a Zoho WorkDrive folder containing a tax document-spoofing ZIP archive, according to a report from eSentire's Threat Response Unit. Execution of a renamed DLL and double extension file within the ZIP archive facilitated Ghost Crypt decryption and subsequent PureRAT injection into the csc.exe binary, with persistence ensured by the inclusion of a registry key entry and DLL copying to the Documents folder. Further analysis revealed not only the integration of Windows 11 24H2+ compatibility and Windows Defender circumvention capabilities within Ghost Crypt but also the promotion of the PureCrypt malware as dark web marketplace PureCoder's flagship offering. Organizations have been advised to not only activate extended detection and response tools and file extension visibility but also be wary of seemingly urgent cloud storage link requests from unknown sources.
Malware
Novel crypter tapped to spread PureRAT trojan
(Adobe Stock)
Malicious actors have leveraged the novel Ghost Crypt crypter to compromise a U.S.-based accounting firm with the PureRAT trojan in a May cyberattack, Infosecurity Magazine reports.
Social engineering tactics have been employed by attackers impersonating a new client who delivered a nefarious PDF redirecting to a Zoho WorkDrive folder containing a tax document-spoofing ZIP archive, according to a report from eSentire's Threat Response Unit. Execution of a renamed DLL and double extension file within the ZIP archive facilitated Ghost Crypt decryption and subsequent PureRAT injection into the csc.exe binary, with persistence ensured by the inclusion of a registry key entry and DLL copying to the Documents folder. Further analysis revealed not only the integration of Windows 11 24H2+ compatibility and Windows Defender circumvention capabilities within Ghost Crypt but also the promotion of the PureCrypt malware as dark web marketplace PureCoder's flagship offering. Organizations have been advised to not only activate extended detection and response tools and file extension visibility but also be wary of seemingly urgent cloud storage link requests from unknown sources.
