Listen to this Post

Inside the Cyber-Attack That Slipped Past Antivirus Software Using Advanced Evasion Tactics
In May 2025, a highly targeted cyber-attack struck a US-based accounting firm, revealing a dangerous new combination of malware tools and social engineering tactics. At the center of this breach was PureRAT, a remote access Trojan designed for stealth and persistence, delivered through an advanced crypter known as Ghost Crypt.
This campaign, investigated by cybersecurity experts at eSentire’s Threat Response Unit (TRU), showcased an alarming evolution in malware deployment: attackers posed as legitimate clients, leveraged cloud platforms to gain trust, and employed multi-stage obfuscation techniques to sneak through corporate defenses. With Ghost Crypt now actively being marketed on hacker forums and capable of bypassing modern antivirus systems, the implications for enterprise security are growing increasingly severe.
How the Attack Unfolded: Social Engineering Meets Sophisticated Malware
A cyber-espionage campaign in May 2025 targeted a US accounting firm using a deeply layered attack vector involving social engineering, weaponized cloud storage, and advanced malware loaders. The operation began with a convincing email from a fake client, which included a malicious PDF linking to a Zoho WorkDrive folder. Within that folder was a ZIP file disguised as tax documents, but containing a double-extension executable file (.pdf.exe) and a renamed DLL. Once clicked, these files triggered the Ghost Crypt crypter.
Ghost Crypt then decrypted and embedded the PureRAT Trojan into a legitimate Windows system binary (csc.exe), using a stealthy process injection technique called “Process Hypnosis.” This method made it nearly impossible for standard antivirus software to detect the malware. Ghost Crypt itself had been advertised on underground forums since April 2025, boasting features like Windows Defender evasion, support for modern OS versions like Windows 11 24H2+, and a 3-day “survival guarantee” complete with free recrypts if detection occurs.
To maintain persistence, the malware wrote itself into the system registry and copied its components into commonly trusted folders such as the user’s Documents directory. Ghost Crypt also enabled DLL sideloading using legitimate software like Haihaisoft’s hpreader.exe, complicating forensic analysis and raising the bar for detection.
Once PureRAT was deployed, it established contact with remote command-and-control servers. It began silently harvesting data from the infected machine — including user credentials, system metadata, and even scanning for cryptocurrency wallets and popular crypto apps like Ledger Live and Exodus. PureRAT, now the flagship malware sold by underground vendor PureCoder, is packed with multiple obfuscation layers and relies on memory injection rather than standard DLL loading. It also utilizes anti-sleep API calls to ensure continued access to the infected device.
eSentire issued a stark warning to organizations: be wary of urgent, unsolicited messages, especially those involving cloud storage. Companies were also urged to enable full file extension visibility, deploy EDR (Endpoint Detection and Response) systems, and rigorously verify the identity of new or unexpected contacts.
What Undercode Say:
Rising Complexity in Threat Delivery
The PureRAT campaign reflects a broader shift in how cybercriminals are orchestrating attacks. Instead of relying on brute-force tactics or mass phishing attempts, this operation demonstrates precision, psychological manipulation, and deeply integrated malware engineering. The use of social engineering to appear as a potential client aligns with current trends in “low-and-slow” attacks that aim to bypass human suspicion rather than technological barriers.
Ghost Crypt as a Game-Changer
What makes this attack especially dangerous is the introduction of Ghost Crypt. Its injection method — Process Hypnosis — is a subtle, low-detection vector that blends malicious code into legitimate system processes. Additionally, the use of encryption algorithms like ChaCha20, combined with DLL sideloading and memory injection, pushes detection evasion to a whole new level. Ghost Crypt isn’t just a loader — it’s a fully commercialized tool now being marketed to cybercriminals with support for high-profile malware strains like LummaC2 and XWorm.
DLL Sideloading with Trusted Apps
Using a legitimate executable like
Cryptocurrency as a High-Value Target
PureRAT’s focus on crypto wallets and applications like Ledger Live and Exodus confirms that threat actors are still drawn to cryptocurrency-related data. The malware’s browser scanning features and resistance to sleep mode indicate that it’s optimized for long-term data harvesting, especially from users who are likely handling financial information.
Customization and Repackaging
The fact that PureRAT is distributed with multiple layers of encryption, including AES-256, and packed with .NET obfuscators, speaks to a highly modular malware ecosystem. Vendors like PureCoder are essentially offering malware-as-a-service, catering to different attack styles and payload preferences. This modularity makes mitigation much harder, as each sample may behave slightly differently, requiring dynamic analysis rather than signature detection.
Warnings for the Enterprise
This attack should be a wake-up call to accounting firms, law practices, and other high-value service providers. Threat actors are increasingly using tailored pretexts and exploiting cloud collaboration tools to bypass traditional email filters. With the ability to sideload DLLs and embed malware in trusted processes, companies need to go beyond antivirus and implement behavior-based threat detection.
🔍 Fact Checker Results:
✅ Ghost Crypt was first seen on Hackforums in April 2025, confirming its recent introduction to the cybercrime market.
✅ PureRAT uses .NET obfuscators, AES encryption, and direct memory injection, aligning with current malware evasion trends.
✅ DLL sideloading via legitimate software like hpreader.exe has been documented as a vector in this campaign.
📊 Prediction:
As malware like Ghost Crypt becomes more accessible and customizable, expect to see a surge in its use across finance, legal, and healthcare sectors where trust and document exchange are central to operations. PureRAT will likely evolve to integrate even deeper reconnaissance functions, while newer versions of Ghost Crypt may add anti-sandbox and AI evasion techniques. The attack surface is only expanding — and attackers are sharpening their tools. 🔥👀
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




