A new malware downloader, PureCrypter, is being used by an unknown threat actor to deliver a variety of information stealers and ransomware to government entities in Asia-Pacific and North America.
PureCrypter is advertised for sale by its author for $59 for one-month access (or $245 for a one-off lifetime purchase) and is capable of distributing a multitude of malware, including RedLine Stealer, Agent Tesla, Eternity, Blackmoon (aka KRBanker), and Philadelphia ransomware. First documented in June 2022, the infection sequence detailed by Menlo Security commences with a phishing email containing a Discord URL that points to the first-stage component, a password-protected ZIP archive that, in turn, loads the PureCrypter malware.
The loader, for its part, reaches out to the website of the breached non-profit entity to fetch the secondary payload, which is a .NET-based keylogger named Agent Tesla.