Redazione RHC : 25 October 2025 09:12
A tool has appeared on the cybercriminal market that has quickly become a mass-produced weapon for dozens of groups. It’s HeartCrypt , a malware packaging service masquerading as a legitimate application.
Sophos researchers have been monitoring its activity and found that attackers are using this mechanism to distribute stealers, RAT Trojans, and even security solution deactivation utilities , all using the same social engineering and code substitution techniques.
Experts collected thousands of samples and discovered nearly a thousand command and control servers, over two hundred rogue vendors, and campaigns across multiple continents. Based on the nature of their actions, researchers linked most of the incidents to this operation. On the surface, it all seems familiar— spoofed emails, password vaults, Google Drive and Dropbox storage —but beneath the guise of ordinary applications lies a complex mechanism for implanting and executing malicious modules.
The technique is simple and effective. Position-independent code is injected into legitimate EXE and DLL files and executed directly from the .text section; files with a BMP header are appended to the resources, followed by an encrypted payload. Encryption is implemented via XOR with a fixed ASCII key, often repeated in the “tail” of the resource.
The primary code implements the second layer, bypassing analyzers with a high number of jumps and unnecessary bytes. It checks the environment for dummy imports and typical emulator functions, and under normal conditions restores and executes the payload using the standard APIs: CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, and CreateRemoteThread. For increased robustness, the file is copied to a “silent” location on disk, bloated with zeros up to hundreds of megabytes, and appended at startup.
The campaigns demonstrate typical social engineering techniques. In Italy, copyright infringement emails were sent to Dropbox using the t.ly shortener; the archives contained a PDF reader and a fake DLL, leading to a variant of Lumma Stealer running a C2 attack on the .sbs and .cyou domains. In Colombia, malicious ZIP files on Google Drive were password-protected, and the specified code “7771” was used to unpack them, after which AsyncRAT was installed. In other cases, “PDF” was revealed to be an LNK anchor, launched PowerShell, and installed Rhadamanthys. Filenames are deliberately localized, from Spanish notifications to French and Korean tags, to increase the likelihood of the recipient opening them.
Of particular concern is the presence of a security tool called AVKiller among the payloads. It has been detected in conjunction with ransomware operations: in one case, a malicious module containing HeartCrypt downloaded AVKiller , protected by VMProtect and equipped with a driver with a compromised signature; in another case, signs of cooperation between different groups were observed, making the situation even more dangerous for those close to the victims. The scale and diversity of the payloads indicate that HeartCrypt is not isolated in the ecosystem, but its availability and ease of configuration make it a reliable tool for attackers.
The key findings are simple: the packer disguises malicious code as familiar programs, uses simple but strong encryption, exploits trust in cloud storage and URL shorteners, and the final payloads range from standard stealers to security-disabling utilities, significantly increasing the risk of a subsequent encryption campaign. Security systems can only monitor resource indicators of compromise and injection sites, monitor unusual APK/PE resources, and block suspicious transitions to cloud links.
Redazione