Cybersecurity researchers have uncovered a classy malware crypter often known as Pure Crypter that has advanced to particularly goal and bypass the improved safety measures launched in Home windows 11 24H2.
This superior malware packaging device represents a big escalation within the ongoing cat-and-mouse recreation between risk actors and working system safety enhancements, demonstrating how rapidly malicious actors adapt to new defensive mechanisms.
Pure Crypter capabilities as a complete malware supply platform that mixes a number of evasion strategies to make sure profitable payload execution whereas evading detection by fashionable safety options.
Pure Coder’s gross sales thread (Supply – Esentire)
The crypter employs an arsenal of anti-analysis and anti-detection strategies, together with Anti-Malware Scan Interface (AMSI) bypassing, dynamic hyperlink library (DLL) unhooking, execution delays, and complex persistence mechanisms that permit malware to take care of a foothold on contaminated techniques.
eSentire analysts recognized this malware throughout their risk searching operations and famous that Pure Crypter has undergone important updates particularly designed to counter the safety enhancements applied in Home windows 11 construct 26100, also referred to as 24H2.
The researchers noticed that the malware authors added new performance in January 2025 to deal with adjustments within the working system that beforehand prevented sure injection strategies from functioning successfully.
The affect of Pure Crypter extends past conventional malware supply, because it permits risk actors to deploy numerous sorts of malicious payloads together with ransomware, data stealers, and distant entry trojans whereas sustaining stealth and persistence.
Automated system streamlines the procurement and supply course of (Supply – Esentire)
The crypter’s modular design permits cybercriminals to customise their assaults primarily based on particular targets and operational necessities, making it a flexible device within the fashionable risk panorama.
Superior Course of Injection Strategies for Home windows 11 24H2
Considered one of Pure Crypter’s most notable improvements lies in its adaptation to beat the safety enhancements launched in Home windows 11 24H2, significantly concerning course of hollowing strategies.
Pure Crypter Enter Payload Menu (Supply – Esentire)
The malware builders acknowledged that conventional course of injection strategies had been being blocked by the newer working system builds and applied a classy workaround that particularly targets the NtManageHotPatch API.
Pure Crypter Payload Conduct Menu (Supply – Esentire)
The crypter first performs a system examine to find out if the goal machine is working Home windows 11 construct 26100 or newer by querying the registry key “SOFTWAREMicrosoftWindows NTCurrentVersion” and evaluating the CurrentBuild worth.
If the system is recognized as 24H2 or later, Pure Crypter initiates a reminiscence patching routine that modifies the NtManageHotPatch perform to bypass the brand new safety restrictions.
The patching course of entails writing particular byte sequences to reminiscence that successfully neutralize the API’s protecting mechanisms. For 64-bit techniques, the malware writes the bytes “184, 187, 0, 0, 192, 195” whereas 32-bit techniques obtain “184, 187, 0, 0, 192, 194, 16, 0”.
This system requires cautious reminiscence administration, together with altering reminiscence permissions utilizing VirtualProtectEx, writing the patch bytes with WriteProcessMemory, and flushing the instruction cache to make sure the modifications take impact.
The implementation demonstrates a deep understanding of Home windows internals and represents a big evolution in malware evasion strategies.
By efficiently patching NtManageHotPatch, Pure Crypter permits its RunPE (course of hollowing) performance to work on the most recent Home windows 11 builds, permitting risk actors to inject malicious code into respectable processes and evade detection by safety options that depend on behavioral evaluation of course of creation and reminiscence allocation patterns.
Rejoice 9 years of ANY.RUN! Unlock the complete energy of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
