data breaches
New Malware Alert: PureRAT and Ghost Crypt Hijack Systems Worldwide
Modified RAT malware and proxy networks target global victims with stealthy credential theft and advanced evasion tactics.
When María López clicked to “Update Policy,” she unwittingly opened a digital Pandora’s box. Within seconds, her computer was hijacked—bank credentials siphoned, files exfiltrated, and a silent backdoor installed. This scenario is playing out across the globe as a wave of sophisticated remote-access Trojans (RATs) exploits users via phishing and drive‑by downloads.
📌 Key Facts
- A coordinated campaign spearheaded by the financially motivated group Greedy Sponge uses a modified AllaKore RAT, often partnered with SystemBC proxies, targeting Mexican institutions and beyond.
- Distribution method: Booby-trapped ZIP files (e.g., Actualiza_Policy_v01.zip) conceal a legitimate Chrome proxy and a malicious microsupport file (MSI). The MSI deploys a .NET downloader fetching the RAT and launches a PowerShell cleanup script.
- eSentire researchers uncovered a separate wave delivering PureRAT via Ghost Crypt, a crypter-as-a-service that encrypts DLL payloads, evading Microsoft Defender. Injected into csc.exe through “process hypnosis,” this tool often starts with a PDF and urgent phone call tactic.
- Additional threats include Neptune/MasonRAT spread via JavaScript lures, Hijack Loader via Inno Setup installers, and payloads like RedLine stealer and clipper modules—all converging on credential theft, screenshots, keylogging, clipper deployment, and proxy relay setup.
🧠 Technical Breakdown
- Phishing/dropper delivery
Victims receive a ZIP via phishing email or PDF link. Inside:- A legitimate Chrome proxy executable (to avoid suspicion)
- A trojanized MSI that runs silently
- Downloader stage
MSI drops a .NET downloader, which contacts a hardcoded C2 domain (e.g., manzisuape[.]com/amw), pulls the RAT, and triggers a PowerShell script to erase traces. - Payload execution & persistence
AllaKore RAT establishes keylogging, screen capture, filesystem upload/download, and remote shell. SystemBC adds a SOCKS5 proxy node to mask C2 traffic. - Advanced evasion
- Geofencing moved server-side, blocking analysis outside Mexico
- Ghost Crypt’s crypter encrypts DLLs, injects into legitimate processes via “process hypnosis,” bypassing Defender detection.
💬 Voices from the Field
“We’ve modified AllaKore to exfiltrate banking credentials and authentication tokens directly to C2”—Arctic Wolf Labs.
“Ghost Crypt was advertised in cybercrime forums on April 15, 2025,” noted eSentire researchers. “Its process hypnosis injection bypasses Microsoft Defender and loads PureRAT stealthily”.
🌍 Human Impact & Context
Small businesses and individuals, already stretched thin post-pandemic, are now being targeted in high-volume, low-cost phishing operations. Financial losses from unauthorized wire transfers, stolen identity, and extortion are rising—and victims often lack forensic capability to trace intrusions. The insidious nature of proxy-based RAT networks complicates detection, creating fertile ground for long-term surveillance and repeated breaches.
🔍 Broader Significance
Command-and-control crypter-as-a-service models signal a troubling shift: malware deployment is becoming commodified and widely accessible. Geofencing tools and DLL injection via process hypnosis point to a new level of operational tradecraft enhancement previously available only to state-sponsored actors. Cybercriminals are leveraging layered proxies, evasion, and modular payloads in a bid to maximize ROI with minimal sophistication.
🛡️ Defender Recommendations
| Stage | Defense Strategy |
|---|---|
| Delivery | Use advanced email filtering, verify links before clicking, and mitigate via sandbox testing ZIP contents. |
| Downloader | Employ endpoint protection capable of detecting MSI-based downloaders, and block known malicious domains. |
| Execution | Monitor anomalous csc.exe behaviors, enable script-blocking policies, and enforce application whitelisting. |
| Post-Infection | Deploy network monitoring for SOCKS5 traffic, set up regular C2 threat-hunting, and maintain offline backups. |
🧩 Background
Modified AllaKore RAT has plagued Latin American financial sectors since at least early 2024. In May 2024, a variant attacked Brazilian banks (codenamed AllaSenha/CarnavalHeist). Meanwhile, the rise of crypter-as-a-service portals like Ghost Crypt has democratized advanced malware delivery, altering the cyber‑threat landscape.
As cybercriminals evolve—from suspicious updates to encrypted trojan loaders—they continue to exploit trust, urgency, and technical complexity. This latest wave underlines the importance of layered security, threat intelligence sharing, and defensive vigilance.
📚 Sources:
This article is based on findings and threat intelligence reported by:
- The Hacker News – Credential Theft and Remote Access Attacks Surge Globally
Published: July 2025 - Arctic Wolf Labs – Research on modified AllaKore RAT behavior and financial credential theft
- eSentire Threat Response Unit – Analysis of PureRAT and Ghost Crypt loader techniques
- Cybersecurity Community Posts (e.g., X, Darknet forums) – Advertisement and usage of Ghost Crypt as a Crypter-as-a-Service (CaaS) tool
- VirusTotal, Any.Run, and sandbox telemetry – Supporting technical analysis on file behavior and PowerShell scripts