The attack, discovered in May 2025, showcases how threat actors are exploiting trusted platforms like Zoho WorkDrive to bypass traditional security measures and deliver the PureRAT Remote Access Trojan with unprecedented stealth. The malware also patches the ZwManageHotPatch function with 32 bytes of data, implementing a technique specifically designed to bypass Windows 11 24H2 security enhancements, demonstrating the threat actors’ awareness of modern operating system protections. The most sophisticated aspect of this PureRAT variant lies in its implementation of “Process Hypnosis,” an advanced injection technique that exploits Windows debugging mechanisms for stealthy code execution. Cybercriminals have escalated their attack sophistication by utilizing legitimate cloud storage services to distribute advanced malware, as demonstrated in a recent campaign targeting a certified public accounting firm in the United States. This new crypter-as-a-service offering promises advanced evasion capabilities, including guaranteed bypasses for Windows Defender and cloud-based detection systems, while supporting various malware families including PureRAT, LummaC2, and XWorm. The attack began with a carefully orchestrated social engineering campaign where threat actors impersonated potential clients, sending malicious PDF documents containing links to Zoho WorkDrive folders. Subsequently, VirtualAllocEx allocates memory within the target process with Read, Write, and Execute permissions, followed by WriteProcessMemory calls that inject the 344KB PureRAT payload directly into the victim process’s address space. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. eSentire researchers identified this sophisticated campaign as part of a broader trend where cybercriminals are leveraging the “Ghost Crypt” crypter service, first advertised on underground forums in April 2025. Upon successful execution, the malware employs a custom ChaCha20 encryption algorithm with modified parameters to decrypt its payload, differentiating itself from standard implementations through non-standard magic constants and null nonce values. PureRAT demonstrates remarkable persistence and evasion capabilities through its multi-layered obfuscation approach, utilizing both Eazfuscator.NET and .NET Reactor to protect its core functionality from analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The injection process begins with the CreateProcessW API call, utilizing the DEBUG_ONLY_THIS_PROCESS flag to spawn the legitimate Windows binary csc.exe in debug mode. This technique effectively prevents security researchers from debugging the child process, as it remains under the malware’s control. To maintain persistence across system reboots, the malware establishes a registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ensuring automatic execution upon user login. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Jul 2025 18:00:14 +0000