{ "name": "Ghost Crypt Powers PureRAT with Hypnosis", "slug": "ghost-crypt-powers-purerat-with-hypnosis", "description": "In May 2025, eSentire's Threat Response Unit (TRU) uncovered a targeted attack on a U.S. accounting firm. The attackers used a newly advertised crypter service, Ghost Crypt, to sideload and obfuscate a DLL into a legitimate Windows component (csc.exe), deploying PureRAT, a Remote Access Trojan that surged in 2025", "published": "2025-07-21T06:42:38+00:00", "created_at": "2025-07-21T06:42:38+00:00", "modified_at": "2025-07-21T09:28:11+00:00", "created_at_opencti": "2025-07-21T06:42:38+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-07-21", "ghostcrypt", "purerat", "remote access trojan" ], "related_entities": { "observables": [ { "id": "", "name": "196.251.88.111" }, { "id": "", "name": "176.65.144.123" }, { "id": "", "name": "fax-greenry.myhome-server.de" }, { "id": "", "name": "f3d98823fb6cdc226414bedc49b94e86060fcc511cc50867d63f7c989fe54aed" }, { "id": "", "name": "e7162b70e4f52251bedebe645ec960ce0f5cb8d5cb88555bdf9233adc5829313" }, { "id": "", "name": "e487f0c178515b6629c6d141c14bdef904b02ce9e8603c85faaede1171beea7f" }, { "id": "", "name": "db5407b34ed7dd78a10c3ffb9090ce21da82a95b43668b04d1de30e3d8a51dde" }, { "id": "", "name": "cc35d8ca3b34e4c5eed80ac1fb4e392fc4cb80577a3cf7604853e1fce139c6d0" }, { "id": "", "name": "c059bf049f0a0b2e9d5c369ba2aa94c555cccf09b13224e49b5c7f0fb99690d8" }, { "id": "", "name": "b182d74611ed2bb17f32f14cffc1d4123c087834340997871dc19d1334036000" }, { "id": "", "name": "7e3d5c91a7bd65c40996ad75a736513ac0a7b73eef3e12de88c4e8d72dfbe0b0" }, { "id": "", "name": "6f9a19fe9cdf3f9c2f1a7a4a866baf0fb02a28b196528b84eb52d1b9e6feaf91" }, { "id": "", "name": "69a40bd2f667845ab95ad8438dae390f2e8b9680f4d30cb20e920c45cda565f9" }, { "id": "", "name": "1ac0767e5a22839ae581ea31fcfcd693f1d35092a33576cb5269a2f7b415d964" }, { "id": "", "name": "1784bbd15f47eb0a28bd2f22bb8a9a88b777c7a6fc964f446fa11579d90642ff" }, { "id": "", "name": "0995a85378ba99e5fd094fbb133eb4e320c470dd0cd2220f6787ed1f9052e6f2" }, { "id": "", "name": "352e51c42d5f5727a7c545752bf34d1f83f40219e7036c6959817149a51651bc" }, { "id": "", "name": "f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb" } ], "malware": [ { "id": "legacy:malware:5d5d6103e33e63df", "name": "PureRAT", "slug": "purerat" } ], "attack_patterns": [ { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2025-4632" }, { "id": "", "name": "CVE-2019-18935" } ] }, "external_refs": [ "https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis", "https://github.com/eSentire/iocs/blob/main/PureRAT/PureRAT_IOCs_27-06-2025.txt", "https://otx.alienvault.com/pulse/687dfd7eddde1e0568695492" ] }