Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for threat actors targeting Windows-based systems in a thorough technical research carried out by eSentire’s Threat Response Unit (TRU) during 2024 and 2025.

This loader, favored for deploying information stealers like Lumma and Rhadamanthys via the ClickFix initial access vector, has demonstrated remarkable adaptability in evading Microsoft’s latest security enhancements in Windows 11 24H2.

Malware Loader Targets Windows Systems

Microsoft’s attempt to block malware loaders by preventing Process Hollowing-based injection in the 24H2 update has been circumvented by Pure Crypter’s developers through a straightforward yet effective patch of the NtManageHotPatch API in memory.

This bypass technique, detailed by security researcher Hasherezade, allows the malware to execute Process Hollowing (RunPE) on newer Windows builds, undermining the operating system’s defenses.

Pure Crypter’s architecture is a testament to its sophistication, incorporating a wide array of evasion and persistence mechanisms designed to thwart antivirus (AV) and endpoint detection and response (EDR) solutions.

Its configuration, stored as a Protobufs-serialized message, is decrypted and deserialized during execution, enabling modular activation of features such as AMSI (Antimalware Scan Interface) bypass through memory patching of AmsiScanBuffer and EtwEventWrite APIs.

DLL unhooking to load clean copies of kernel32.dll and ntdll.dll, and anti-VM and anti-debugging checks using APIs like CheckRemoteDebuggerPresent and WMI queries to detect virtualized environments.

Deceptive Marketing

Additional tactics include disabling internet connectivity via ipconfig.exe to hinder AV/EDR communication, applying execution delays with SleepEx, and ensuring persistence through Run keys, scheduled tasks, or VBScript in startup folders.

The loader also supports multiple payload execution methods, including Reflection for .NET files, shellcode injection via VirtualAlloc and CreateThread, and parent process spoofing using OpenProcess and UpdateProcThreadAttribute, making it a versatile tool for malicious operations.

Beyond its technical prowess, Pure Crypter’s distribution and marketing strategies amplify its threat.

Sold on platforms like Hackforums[.]net by the vendor ‘PureCoder’ with tiered subscriptions ranging from $159 for three months to $799 for lifetime access, it is distributed via an automated Telegram bot, @ThePureBot, which also markets related tools like Pure Miner, Pure RAT, and Pure Logs Stealer.

The vendor employs deceptive marketing by showcasing zero-detection results on avcheck[.]net, a scanning platform that avoids sharing samples with AV/EDR vendors.

However, eSentire’s testing on VirusTotal revealed that newly generated stubs are detected by at least 20 AV/EDR solutions, exposing a significant discrepancy and suggesting misleading tactics to boost sales.

Operational security is further maintained through a Terms of Service (ToS) agreement to skirt forum restrictions on malicious software sales, while a user-friendly GUI with quotas on packing operations lowers the technical barrier for threat actors.

To counter this, eSentire has developed PureCrypterPunisher, a tool to automate unpacking, configuration extraction, and string decryption, empowering security researchers to better analyze and mitigate this pervasive threat in the evolving cyber landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!