S9018: HeartCrypt
HeartCrypt is a packer-as-a-service (PaaS) used to protect malware that has been available since at least 2024. HeartCrypt has been used to pack a variety of malware including Lumma Stealer, Remcos, and Rhadamanthys. In the HeartCrypt PaaS model, customers submit malware via private messaging services and it is then packed and returned by the operator as a new binary.[1]
Analyst context for executives and security teams
HeartCrypt matters because it is described as a packer-as-a-service used to wrap other malware, including Lumma Stealer, Remcos, and Rhadamanthys. For leaders, the practical issue is not just one malware name: packing can change file signatures, hashes, size, encoding, and apparent file type, which can reduce the value of simple hash or static-signature controls across Linux and Windows environments.
Executive priority
Treat HeartCrypt as a test of whether malware defenses are resilient to obfuscation. Security leaders should ask whether endpoint controls, SOC triage, and incident response playbooks can recognize packed malware behavior, recover useful evidence after unpacking or memory execution, and prove coverage beyond blocklists. This is relevant to budget and audit discussions because the supplied relationships emphasize stealth, execution, persistence, privilege escalation, and discovery techniques rather than a single fixed indicator.
Technical view
The malware object has no ATT&CK tactic assigned and no official detection guidance, but its relationships point to T1027.001 Binary Padding, T1027.002 Software Packing, T1027.013 Encrypted/Encoded File, T1036.008 Masquerade File Type, T1055.004 APC injection, T1055.012 Process Hollowing, T1059.003 Windows Command Shell, T1106 Native API, T1140 Deobfuscate/Decode Files or Information, T1497.001 System Checks, and T1547.001 Registry Run Keys / Startup Folder. SOC and IR teams should validate coverage around packed-file intake, suspicious file metadata changes, memory-based execution, process injection, command shell use, startup persistence, and sandbox-evasion indicators on supported Linux and Windows platforms.
Likely telemetry
- Endpoint file creation and modification metadata, including hashes, file size, entropy, extensions, headers or magic bytes, and signature mismatches
- Executable launch telemetry on Linux and Windows hosts
- Windows process creation telemetry, especially cmd.exe activity where relevant
- Windows process injection and memory behavior telemetry associated with APC injection and process hollowing
- Native API or low-level process, memory, and file operation telemetry where available
Detection direction
- Do not rely on hash-only detection; HeartCrypt’s described role as a packer means file hashes and static signatures may change between packed outputs.
- Validate whether security tools inspect large, padded, encrypted, encoded, or packed binaries rather than skipping them because of size or format limits.
- Correlate file anomalies with runtime behavior: process creation, command shell execution, Native API use, process injection, memory-resident payloads, and persistence changes.
- Tune for false positives from legitimate packed or protected software by combining file characteristics with execution context, persistence attempts, process injection, or suspicious child processes.
- Test sandbox and malware-analysis workflows for system-check behavior, because related ATT&CK context includes virtualization and analysis-environment checks.
Mitigation priorities
- Prioritize behavior-based endpoint detection and response over static indicator blocking for packed or obfuscated binaries.
- Harden inspection pipelines so padded, packed, encrypted, encoded, or file-type-masqueraded executables are not excluded from analysis.
- Restrict and monitor common persistence locations such as Registry Run keys and Startup folders on Windows.
- Reduce unnecessary command shell execution paths and monitor administrative shell use for abnormal context.
- Ensure incident response procedures include collecting memory, startup artifacts, file metadata, and unpacked payload evidence when packed malware is suspected.
Analyst notes and limits
HeartCrypt is service-relevant because a packer-as-a-service can help multiple malware families alter their on-disk appearance. The strongest defensive value is validating whether controls detect obfuscation-resistant behaviors: unpacking, process injection, command execution, persistence, and system checks. Local baselining is important because legitimate packed software can resemble some file-level indicators.
MITRE provides no official detection text for this object, no aliases, and no explicit tactic on the malware object. The take is based only on the official description, the listed external reference, and the supplied ATT&CK relationships. It should not be read as evidence of active exploitation, attribution, or guaranteed detection coverage in any specific environment.
HeartCrypt
HeartCrypt is a packer-as-a-service (PaaS) used to protect malware that has been available since at least 2024. HeartCrypt has been used to pack a variety of malware including Lumma Stealer, Remcos, and Rhadamanthys. In the HeartCrypt PaaS model, customers submit malware via private messaging services and it is then packed and returned by the operator as a new binary.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | HeartCrypt has the ability to use `NtQueueApcThread` as an alternate method for process injection.CitationPalo Alto HeartCrypt DEC 2024 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | HeartCrypt can append a BMP header to encoded malicious payloads to masquerade them as BMP files.CitationPalo Alto HeartCrypt DEC 2024 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | For .NET payloads, HeartCrypt can use process hollowing to inject into processes spawned by csc.exe or AppLaunch.exe.CitationPalo Alto HeartCrypt DEC 2024 |
| Enterprise | T1497.001 | System Checks Sub-technique | HeartCrypt will attempt to load non-existent DLLs in attempt to detect sandbox creation of a dummy DLL to prevent the program from crashing.CitationPalo Alto HeartCrypt DEC 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | HeartCrypt can decrypt payloads prior to execution.CitationPalo Alto HeartCrypt DEC 2024CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1027.002 | Software Packing Sub-technique | HeartCrypt can pack malicious Windows x86 and .NET payloads in order to evade detection.CitationPalo Alto HeartCrypt DEC 2024CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | HeartCrypt strings are encrypted via a single-byte XOR operation rotating over a hard-coded key, possibly provided by the PaaS customers. CitationPalo Alto HeartCrypt DEC 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | HeartCrypt can set the `CurrentVersion\Run` key to establish persistence.CitationPalo Alto HeartCrypt DEC 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HeartCrypt can use the `reg add` command via `cmd.exe` for Registry modification.CitationPalo Alto HeartCrypt DEC 2024 |
| Enterprise | T1106 | Native API | HeartCrypt can use Windows API functions to modify the Registry and `FindResourceW`, `LoadResource`, and `LockResource` to acquire a pointer to corresponding code resources.CitationPalo Alto HeartCrypt DEC 2024 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | HeartCrypt can add several hundred thousand kilobytes of null padding to payloads before saving onto the file system.CitationPalo Alto HeartCrypt DEC 2024 |
Groups, software, and campaigns
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b7dc5c7c190e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto HeartCrypt DEC 2024
Tujague, J., Bunce, D. (n.d.). Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation. Retrieved April 16, 2026.
Open source URL -
[2]
mitre-attack S9018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.