HeartCrypt’s wholesale impersonation effort

Sophos investigated a widespread packer-as-a-service operation called HeartCrypt that modifies legitimate executables with position-independent loader code, embeds XOR‑encrypted payloads as PE resources, and distributes common RATs and stealers via tailored phishing campaigns. Campaigns used DLL sideloading, password‑protected Google Drive archives, and LNK/PowerShell chains to deliver payloads like Lumma Stealer, AsyncRAT, Rhadamanthys, and an AV killer called AVKiller. #HeartCrypt #AVKiller

Keypoints

HeartCrypt is a packer-as-a-service that injects position-independent code (PIC) into legitimate PE files and adds encrypted payloads as fake bitmap resources.
Distribution methods include phishing emails linking to Dropbox or Google Drive, password-protected ZIPs, DLL sideloading, LNK shortcuts that invoke PowerShell, and direct executables with padded zero bytes for persistence.
Payloads recovered include commodity RATs and stealers (Lumma Stealer, AsyncRAT, Rhadamanthys) and a notable AV‑killing tool (AVKiller) used in some ransomware incidents.
Payload encryption uses a simple XOR with static ASCII keys (examples include PuevQTvPCsYg and emotional strings like MENOLOVECROWDSTRIKE), making keys discoverable in resources.
HeartCrypt campaigns targeted many countries and localized lures (file names in native languages), with Colombia being a primary source of infection reports.
Loader employs heavy control-flow obfuscation, anti-emulation/anti-sandbox checks (attempting to load nonexistent or emulator-only DLLs) and decodes a second-stage PIC from resources to deploy payloads via API calls like CreateRemoteThread and NtCreateThreadEx.
Sophos analyzed thousands of samples, nearly 1,000 C2 servers and over 200 impersonated vendors, concluding multiple threat actors used the PaaS and that HeartCrypt remains widely used despite newer packers emerging.

MITRE Techniques

[T1071 ] Application Layer Protocol – The loader and payload communicate with C2 servers listed in extracted configs (e.g., “contains the following C2 servers”).
[T1553 ] Subvert Trust Controls – Legitimate software components (e.g., CCleaner, msimg32.dll, Haihaisoft PDF Reader) are impersonated and injected to execute malicious code (“the executable was originally a CCleaner component … which contained injected malicious code”).
[T1574 ] Hijack Execution Flow – DLL sideloading and overwriting entry points allow injected PIC code to run instead of original application code (“position-independent loader code (PIC) injected near package entry points, overwriting the original code”).
[T1055 ] Process Injection – Loader uses CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, CreateRemoteThread to load and execute final payloads (“it uses API functions such as CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, and CreateRemoteThread to load and execute the final payload”).
[T1140 ] Deobfuscate/Decode Files or Information – The packer decodes a second-level PIC from resource data and decrypts XOR-encrypted payloads to reveal payloads (“the PIC would decode a second level of PIC” and “The payload is encrypted by a XOR algorithm … the XOR key is the string PuevQTvPCsYg”).
[T1204 ] User Execution – Social engineering via phishing emails and lure filenames cause users to download and run archives/executables (phishing emails with links to Dropbox/Google Drive and password-protected ZIPs described throughout).
[T1098 ] Account Manipulation – Use of a compromised Google Drive account to host password-protected archives and link them from phishing emails (“Password-protected archives hosted in Google Drive (on a compromised account) and linked from email”).
[T1543 ] Create or Modify System Process – Persistence via Run registry key and creating copies of malicious files in user directories (e.g., “%USERHOME%VideosCylanceBin”, “PicturesHomeDeporteBin”) and Run key creation (“creates a copy … then proceeds to create a run key in the SOFTWAREMicrosoftWindowsCurrentVersionRun registry location”).
[T1497 ] Virtualization/Sandbox Evasion – Anti-emulation checks by attempting to resolve nonexistent or emulator-only DLL imports to avoid running in emulated environments (“performs various anti-emulator checks by trying to load nonexistent dynamic link libraries … and retrieving the address of a function … that only exists in emulators”).

Indicators of Compromise

[File Hash ] initial CCleaner-like dropper – f51397bb18e166c933fe090320ec23397fed73d68157ce86406db9f07847d355 (SHA-256).
[File Hash ] Lumma Stealer payload – 09bb6673b62ed69b38035c562752867ff16d0624df6b3b2abf24ac90b5fda6cd (SHA-256).
[File Hash ] Google Drive campaign executable – 70feac3064249f2c3773ed2a044cb9f6e644961fe8f51e9c742d2979c6e562a3 (SHA-256) and archive d2d00439c7d7961d3146cc0df9ed4abc78a6174a7390f9185c75f94705e0b8b2 (SHA-256).
[File Hash ] MedusaLocker/AVKiller related sample – 43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98 (SHA-256) and AVKiller payload a44aa98dd837010265e4af1782b57989de07949f0c704a6325f75af956cc85de (SHA-256).
[Domain/URL ] Malicious hosting and download URLs – examples include hxxps://t[.]ly/flJWG16112024 (shortened URL), hxxps://ucb8c68b6c4ab89f35d7d8df1884.dl.dropboxusercontent[.]com/… (Dropbox download), and hxxps://7bz5nc0bdyga37scjk9otosvcvcl5wyc.ngrok[.]app/api/secure/28116973ac5fdc1458ff89e92d1259c2 (PowerShell script host).
[File Name ] Lure/decoy filenames used in campaigns – examples: “Notifica di violazione dei diritti di propriet… intellettuale,1611 LDK 31.zip”, “00001-Circualr Proceso Judicial Rad. 23001461299320240019100 Procuraduria General.exe” and many localized judicial/copyright themed names (and many more localized filenames).
[Driver/File ] Driver and AVKiller artifacts – zsogd.sys (driver) with hash aa99b6c308d07acac8c7066c29d44442054815e62ea9a3f21cc22cdec0080bc8 and packed AVKiller vp4n.exe sha256 c793304fabb09bb631610f17097b2420ee0209bab87bb2e6811d24b252a1b05d.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print