S9019: PureCrypter
PureCrypter is a fully-featured malware loader, developed by a threat actor called “PureCoder," that has been in use since at least 2021 to distribute a variety of remote access trojans and information stealers.[1]
Analyst context for executives and security teams
PureCrypter matters because ATT&CK describes it as a Windows malware loader used since at least 2021 to distribute remote access trojans and information stealers. For leaders, the key risk is not just the loader itself but the defensive gap it tests: whether the organization can spot an obfuscated loader that profiles the host, hides execution, establishes persistence, transfers follow-on tooling, and communicates through web services with encrypted traffic.
Executive priority
Treat this as a validation case for Windows endpoint resilience, SOC visibility, and incident response readiness around malware delivery chains. Priority questions: do teams collect enough endpoint, PowerShell, scheduled task, registry, process, file, and network telemetry to reconstruct loader activity; can analysts distinguish legitimate administrative behavior from persistence and discovery; and are controls tuned for obfuscation, masquerading, process injection, and encrypted or web-service-based command-and-control? Because ATT&CK provides no official detection text for this object, local evidence and testing should drive control confidence rather than assumptions of coverage.
Technical view
PureCrypter is mapped to Windows and to behaviors spanning obfuscation, discovery, execution, persistence, stealth, ingress tool transfer, and command-and-control. SOC and IR teams should validate visibility across the related techniques: encrypted or encoded files, junk code insertion, masqueraded resource names or file types, PowerShell execution, scheduled task creation, process injection, file deletion, system/user/process/security software/location discovery, registry run keys or startup folder persistence, hidden windows, execution guardrails, mutex use, debugger or VM discovery, web service C2, ingress tool transfer, and encrypted C2. Since the object has no official ATT&CK detection guidance, detection engineering should focus on behavior chains rather than any single indicator.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell script block, module, and process execution logs where available
- Windows scheduled task creation, modification, and execution events
- Registry autorun and startup folder change telemetry
- File creation, deletion, rename, extension, signature, and path metadata
Detection direction
- Prioritize correlation across stages: obfuscated file arrival, PowerShell or process execution, host discovery, persistence creation, payload transfer, and outbound web-service or encrypted communications.
- Tune for masquerading by comparing file extension, icon, path, resource name, and file signature inconsistencies, especially around user-writable or commonly trusted locations.
- Review scheduled task and registry run key detections for noisy legitimate administration patterns; require context such as unusual parent process, newly dropped executable, encoded content, or external network follow-up.
- Validate that endpoint tooling can surface process injection-like behavior and hidden execution, not only suspicious command lines.
- Hunt for discovery clusters involving user, process, system, location, security software, debugger, or virtual machine checks occurring shortly after a suspicious file executes.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoint, PowerShell, scheduled task, registry, file, and network logs are collected, retained, and usable during an investigation.
- Harden execution paths commonly abused by loaders, including script execution, autoruns, scheduled tasks, and user-writable locations, using organization-approved policy controls.
- Reduce follow-on risk by limiting unnecessary outbound web access, monitoring web-service use from unusual processes, and controlling external file transfer paths.
- Strengthen endpoint prevention and response coverage for obfuscation, process injection, persistence creation, and suspicious discovery behavior, then test with safe internal simulations mapped to the related ATT&CK techniques.
- Prepare IR playbooks for loader incidents that include scoping for remote access trojans and information stealers, credential exposure assessment, persistence review, and payload-transfer investigation.
Analyst notes and limits
ATT&CK identifies PureCrypter as a fully featured malware loader developed by “PureCoder” and used to distribute remote access trojans and information stealers. The practical analytic value comes from its mapped behaviors: stealth and obfuscation, host and security-tool discovery, persistence through scheduled tasks and registry/startup mechanisms, command-and-control using web services and cryptography, and ingress transfer of additional files.
The supplied ATT&CK object has no official detection field, no aliases, and no specified tactics on the malware object itself. Tactic context is inferred only from the listed technique relationships. The object platform is Windows; several related techniques have broader or different platform lists in ATT&CK, so local prioritization should remain Windows-focused unless separate evidence supports other platforms. No claim is made here about current activity, specific victim exposure, or guaranteed detection coverage.
PureCrypter
PureCrypter is a fully-featured malware loader, developed by a threat actor called “PureCoder," that has been in use since at least 2021 to distribute a variety of remote access trojans and information stealers.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | PureCrypter can enumerate processes on compromised hosts.CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1082 | System Information Discovery | PureCrypter can enumerate a targeted system's SerialNumber and Version.CitationZscaler PureCrypter JUN 2022CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | PureCrypter code contains a global mutex.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1673 | Virtual Machine Discovery | PureCrypter can identify virtual machines by querying the WMI object Win32_ComputerSystem for manufacturer and model and check it against the regular expression Microsoft|VMWare|Virtual.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1102 | Web Service | PureCrypter can use Telegram or Discord to send infection status messages.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1685 | Disable or Modify Tools | PureCrypter has executed `Set-MpPreference -ExclusionPath` to exclude files or folders from Windows Defender scans.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1033 | System Owner/User Discovery | PureCrypter can retrieve the username from targeted machines.CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | PureCrypter has used multiple file names to appear legitimate such as firefox\firefox.exe, Google\chrome.exe, and Taskmgr.exe.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PureCrypter can decrypt downloaded resources and parse internal files to determine its settings.CitationZscaler PureCrypter JUN 2022CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1614 | System Location Discovery | PureCrypter can use `kernel32!GetGeoInfo` to determine system location.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | PureCrypter can identify installed antivirus solutions.CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1622 | Debugger Evasion | PureCrypter has the ability to call `CheckRemoteDebuggerPresent`.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | PureCrypter can maintain persistence with scheduled tasks.CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | PureCrypter can send a TLS 1.2 encrypted infection message via Discord webhook.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PureCrypter can set multiple Registry Run keys to establish persistence.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1480 | Execution Guardrails | PureCrypter code contains an ExclusionRegionNames option where it can compare the results of `kernel32!GetGeoInfo` with a list of regions.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | PureCrypter can download additional payloads for execution on the compromised host.CitationZscaler PureCrypter JUN 2022CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | PureCrypter can execute PowerShell commands to exclude files from EDR and to self-delete.CitationZscaler PureCrypter JUN 2022CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | PureCrypter can use AES to encrypt system information sent to the C2.CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | PureCrypter has used a .NET downloader named 63342221.BAT and has used .jpg, .png, and .log as false extensions for malicious files.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1055 | Process Injection | PureCrypter can inject its final stage into another process on the targeted system.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | PureCrypter can set `ProcessWindowStyle.Hidden` to hide windows on victim machines.CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | PureCrypter can execute a PowerShell command to self-delete.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1678 | Delay Execution | PureCrypter has the ability to delay for a specified number of seconds before execution.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | PureCrypter can insert junk code to avoid detection.CitationZscaler PureCrypter JUN 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PureCrypter has used SmartAssembly and NET-Reactor for string encryption and control flow obfuscation.CitationZscaler PureCrypter JUN 2022CitationCheck Point Blind Eagle MAR 2025 |
Groups, software, and campaigns
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 99d6c6644886… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler PureCrypter JUN 2022
Dumont, R. (2022, June 13). Technical Analysis of PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information Stealers. Retrieved April 16, 2026.
Open source URL -
[2]
mitre-attack S9019Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.