Meta News

PureCrypter Analysis: How This Botnet Promotes Various Malware Families

Summary: PureCrypter is a highly active Malware-as-a-Service (MaaS) loader, capable of promoting over 10 malware families, making it a significant security concern.

PureCrypter: The "Uber" of Malware Flooding the Network with Virus Families

BEIJING – Security researchers at 360 Netlab have issued an urgent warning about the growing activity of PureCrypter, a malware loader that has become a central piece of the cybercrime ecosystem under the Malware-as-a-Service (MaaS) model.

Unlike other viruses that have a specific target, PureCrypter acts as an elite messaging service for other criminal groups, specializing in "promoting" and installing diverse malware families onto infected machines in exchange for payment.

A Logistics Hub for Malware

According to Netlab's latest report, PureCrypter is not a newcomer—it has been active since at least March 2021—but its volume of operations reached critical levels in 2026. Analysts have detected that this loader is actively distributing more than 10 different malware families, transforming a single initial infection into a multifaceted nightmare for victims.

Among the "goods" PureCrypter is currently delivering are:

  • Spyware and Data Stealers: AgentTesla, SnakeKeylogger, and Formbook.

  • Remote Access Trojans (RATs): AsyncRAT and Remcos.

  • Info-stealers: Redline, capable of emptying crypto wallets and browser credentials in seconds.

Evasion Engineering: The Key to Its Success

What makes PureCrypter especially dangerous for organizations is its sophisticated evasion technique. The malware is written in C# and uses a complex system of "layers" to hide from traditional antivirus solutions.

Key facts

  • PureCrypter is a C#-written loader active since at least 2021.
  • It is a MaaS type of loader, making it more dangerous than previous versions.
  • It has spread over 10 malware families, including Formbook and AgentTesla.
  • It uses a package mechanism with downloader and injector for payload deployment.

Why it matters

The existence of MaaS-type loaders like PureCrypter allows attackers to distribute and execute multiple types of malware from a single infrastructure. This drastically increases the risk for endpoints, requiring organizations to strengthen their deep defense and propagation pattern detection.

X profile@360Netlabhttps://twitter.com/360Netlab
Embedded content for: PureCrypter Analysis: How This Botnet Promotes Various Malware Families
Tags:
PureCrypter Malware Botnet Ciberseguridad Loader

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: PureCrypter, Zscaler, Formbook, SnakeKeylogger, AgentTesla, Redline

Source: https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/

Published on