Menlo Security announces strategic partnership with Google
Icon Rounded Closed - BRIX Templates

PureCrypter targets government entities through Discord


Executive Summary

Menlo Labs has uncovered an unknown threat actor that’s leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities. The PureCrypter campaign uses the domain of a compromised non-profit organization as a Command and Control (C2) to deliver a secondary payload. The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware. Our investigation started when Menlo’s Cloud Security Platform blocked password-protected archive files across multiple government customers in the Asia-Pacific (APAC) and North America regions.

Menlo Labs assesses that this threat actor group will continue to use the compromised and taken infrastructure as long as they can, before needing to find a new home. Leaving credentials in malware is an OpSec failure but it leaves a trace for analysts to follow. Fortunately in this case, Menlo’s Cloud Security Platform blocked this attack, which allowed Menlo Labs to see it and start to track this actor.

Infection Chain

diagram illustrating download to password protected zip to purecrypter

Threat Intelligence

Threat analysis showed that PureCrypter is downloading a secondary malware, believed to be AgentTesla.

PureCrypter is an advanced downloader which downloads Remote Access Trojans (RATs) and Infostealers. It has been sold since March 2021 on“hxxps[://]” AgentTesla is an advanced backdoor with capabilities including stealing stored passwords from different browsers, clipboard logging, screen keylogging and screen capturing. It is written in .net and supports all versions of Windows operating system.

In our investigation, we found that AgentTesla establishes a connection to an FTP server where it stores the stolen victim’s credentials. The FTP server appears to have been taken over and the leaked credentials for the domain were found online, thus suggesting that the threat actors used these credentials to gain access to the server.

Screenshot showing collected victim information on FTP server
Compromised FTP server showing collected victim information
screenshot showing collected victim information

It's also noteworthy that the download link for the secondary malware is from a compromised domain of a non-profit organization whose leaked credentials were also found online.

A similar sample to theAgentTesla malware we analyzed was discovered in a phishing email with the subject "FW: New Order no. 5959" from Alejandro Gonzalo (e052450f2@891f4e7e1668[.]com). The malicious attachment was named "Nuevo pedido 7887979-800898.gz" and contained FTP server credentials that were the same as those found in the first case.

Under that same email address, another malicious email titled "New Order" was also uncovered with an attached file called "Ppurchase order6007979-709797790.gz". This one also used the same FTP server – ftp[://]ftp.mgcpakistan[.]com – as part of its infection process!

The FTP server (ftp[://]ftp.mgcpakistan[.]com) was also seen in a campaign using OneNote to deliver malware. Attackers have been sending phishing emails with links to malicious OneNote files that can download additional malware or steal information from the victim's device. Altogether, the Labs team found 106 files using said FTP server.

Infection Vector/Technical Details

In this campaign, Discord was used to host the payload, and a link to the payload is sent via email. To evade existing defenses, PureCrypter uses password protected ZIP files. Below is a screenshot that shows the poor detection of these password-protected payloads on VT.

Screenshot showing 1 security vendor and no sandboxes flagged file as malicious

The following steps were taken by the attacker to deliver the payload:

  • An email with Discord app url pointing to malicious password protected zip file is sent to the victim (https://cdn[.], pwd - 1234, md5- 967f9bc90202925e1f941c8ea1db2c94)
  • The ZIP extracts a loader written in .net called PureCrypter (md5 - 5420DCBAE4F1FBA8AFE85CB03DCD9BFC). The loader tries to download a secondary payload from the compromised non-profit organization shown in the below screenshot. At the time of investigation the compromised non-profit organization’s website was down and we didn’t get its secondary payload.
screenshot of code

While we were not able to download the second stage payload from the PureCrypter sample mentioned above (md5 - 5420DCBAE4F1FBA8AFE85CB03DCD9BFC), we were able to identify similar samples which were seen downloading malicious payloads from the compromised non-profit organization. Upon further investigation, we determined that this was AgentTesla and was communicating to an FTP server located in Pakistan (as mentioned in the intel section above). The technical analysis below is for the new sample md5 -C3B90A10922EEF6D635C6C786F29A5D0).

screenshot of code

This downloaded binary is packed to evade initial detection. It contains the AgentTesla payload which is encrypted in the resource section using DES Algorithm as shown in the below screenshot.

screenshot of code

The des.IV and des.Key of the encrypted payload is shown in the below screenshot.

screenshot of des.IV and des.Key of encrypted payload

AgentTesla uses a process hollowing technique to inject its payload (Md5 - BCF031AB2B43DC382B365BA3DF9F09BC) into cvtres.exe. This is a standard windows process that exists across all versions of Windows OS.

AgentTesla uses an XOR algorithm to encrypt its config file. The screenshot below shows the xor encoded config file.

screenshot of xor encoded config file

Menlo Labs was able to decrypt the config file. The decrypted file is shown below.

screenshot of decrypted config file

The decrypted file contains the CnC details of the FTP server to which AgentTesla uploads the victim data.

Network Communication

AgentTesla uses FTP for data exfiltration. For FtpWebRequest it requires an FTP server path and credentials to send stolen data to the server shown in the screenshot below:

screenshot showing required ftp server path and credentials to send stolen data to server

This screenshot shows how to get FtpWebRequest:

screenshot of code showing how to get FTPWebRequest
screenshot of code showing how to get FTPWebRequest


screenshot of code for password

“*password*” - due to security reasons we are not putting the correct password here.


The Labs team will continue to monitor for an evolution in this threat actor activity. This threat actor doesn’t appear to be a major player in the threat landscape, but the targeting of government entities is surely a reason to watch out for them.



Username: “ddd@mgcpakistan[.]com”






Imphash shared by 106 FTP files:

F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)
61259b55b8912888e90f516ca08dc514 (10 files)

Reg key 82 of the 106 FTP files opened:


Of the 106 samples, over half shared the following MITRE Techniques:

  • Execution TA0002
  • Windows Management Instrumentation T1047
  • Privilege Escalation TA0004
  • Process Injection T1055
  • Defense Evasion TA0005
  • Disable or Modify Tools T1562.001
  • Virtualization/Sandbox Evasion T1497
  • Process Injection T1055
  • Obfuscated Files or Information T1027
  • Software Packing T1027.002
  • Masquerading T1036
  • Credential Access TA0006
  • OS Credential Dumping T1003
  • Discovery TA0007
  • System Information Discovery T1082
  • Security Software Discovery T1518.001
  • Virtualization/Sandbox Evasion T1497
  • Application Window Discovery T1010
  • Process Discovery T1057
  • Collection TA0009
  • Data from Local System T1005
  • Command and Control TA0011
  • Non-Application Layer Protocol T1095
  • Application Layer Protocol T1071

Other similar files


Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail