Executive Summary

This article analyzes a new packer-as-a-service (PaaS) called HeartCrypt, which is used to protect malware. It has been in development since July 2023 and began sales in February 2024. We have identified examples of malware samples created by this service based on strings found in several development samples the operators used to test their work.

The operator of this service has advertised it through underground forums and Telegram. Its operators charge $20 per file to pack, supporting both Windows x86 and .NET payloads.

The majority of HeartCrypt customers are malware operators using families such as LummaStealer, Remcos and Rhadamanthys. However, we’ve also observed payloads from a wide variety of other crimeware families.

HeartCrypt packs malicious code into otherwise legitimate binaries. We have discovered binaries packed with HeartCrypt from both external and internal telemetry.

We have successfully extracted malicious code for payloads from thousands of HeartCrypt samples. A majority of the unpacked payloads contain configuration data, which we have used to cluster samples and identify malicious campaigns targeting various industries and regions.

You are viewing a single thread.
View all comments
1 point

Noob question, I guess: can someone explain to me what the purpose is in having “x86 and .NET payloads” and why that might be significant?

permalink
report
reply

cybersecurity

!cybersecurity@infosec.pub

Create post

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

  • Be kind
  • Limit promotional activities
  • Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

Community stats

  • 606

    Monthly active users

  • 304

    Posts

  • 260

    Comments