A new malware loader discovered in May 2025 executes two malware families: TorNet and PureHVNC. The loader uses API hashing with MurmurHash2 and implements persistence through registry modifications. It decrypts and decompresses payloads using AES-128-ECB and LZMA, then injects them into a suspended jsc.exe process. TorNet, a downloader malware, communicates via TOR network, while PureHVNC is a commercial RAT allowing remote access. Both malware use Protocol Buffers for configuration deserialization. The loader's unique characteristics include its dual payload execution and API hashing implementation, indicating potential future attack techniques.