Threat Actors Leverage Zoho WorkDrive Folder to Deliver Obfuscated PureRAT Malware

Cybercriminals have escalated their attack sophistication by utilizing legitimate cloud storage services to distribute advanced malware, as demonstrated in a recent campaign targeting a certified public accounting firm in the United States.

The attack, discovered in May 2025, showcases how threat actors are exploiting trusted platforms like Zoho WorkDrive to bypass traditional security measures and deliver the PureRAT Remote Access Trojan with unprecedented stealth.

The attack began with a carefully orchestrated social engineering campaign where threat actors impersonated potential clients, sending malicious PDF documents containing links to Zoho WorkDrive folders.

These folders appeared to contain legitimate business documents, including tax records and license copies, but harbored executable files disguised with double extensions such as “filename.pdf.exe”.

The attackers amplified their deception by placing urgent phone calls to victims, pressuring them to immediately extract and execute the malicious files.

eSentire researchers identified this sophisticated campaign as part of a broader trend where cybercriminals are leveraging the “Ghost Crypt” crypter service, first advertised on underground forums in April 2025.

This new crypter-as-a-service offering promises advanced evasion capabilities, including guaranteed bypasses for Windows Defender and cloud-based detection systems, while supporting various malware families including PureRAT, LummaC2, and XWorm.

The malware’s technical complexity extends far beyond its initial delivery mechanism.

PureRAT demonstrates remarkable persistence and evasion capabilities through its multi-layered obfuscation approach, utilizing both Eazfuscator.NET and .NET Reactor to protect its core functionality from analysis.

Advanced Injection and Persistence Mechanisms

The most sophisticated aspect of this PureRAT variant lies in its implementation of “Process Hypnosis,” an advanced injection technique that exploits Windows debugging mechanisms for stealthy code execution.

Upon successful execution, the malware employs a custom ChaCha20 encryption algorithm with modified parameters to decrypt its payload, differentiating itself from standard implementations through non-standard magic constants and null nonce values.

The injection process begins with the CreateProcessW API call, utilizing the DEBUG_ONLY_THIS_PROCESS flag to spawn the legitimate Windows binary csc.exe in debug mode.

This technique effectively prevents security researchers from debugging the child process, as it remains under the malware’s control.

Subsequently, VirtualAllocEx allocates memory within the target process with Read, Write, and Execute permissions, followed by WriteProcessMemory calls that inject the 344KB PureRAT payload directly into the victim process’s address space.

To maintain persistence across system reboots, the malware establishes a registry entry under HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun, ensuring automatic execution upon user login.

The malware also patches the ZwManageHotPatch function with 32 bytes of data, implementing a technique specifically designed to bypass Windows 11 24H2 security enhancements, demonstrating the threat actors’ awareness of modern operating system protections.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now