HeartCrypt: The MaaS Platform That Packs Malware Inside Legitimate Apps, Then Kills Your Antivirus
A new tool has emerged on the cybercriminal marketplace—one that has swiftly become a weapon of choice for dozens of groups. This is HeartCrypt, a malware-packing service that disguises malicious code as familiar, legitimate applications. According to Sophos researchers, attackers are leveraging this platform to distribute stealers, RAT trojans, and even utilities designed to disable security defenses, all through the same blend of social engineering tactics and code-substitution techniques.
Researchers collected thousands of samples, uncovering nearly a thousand command-and-control servers, more than two hundred counterfeit vendors, and active campaigns across multiple continents. On the surface, the incidents resemble typical phishing operations—fake emails, password-protected archives, and files hosted on Google Drive or Dropbox—but beneath the façade of benign applications lies a sophisticated mechanism for injecting and executing malicious modules.
The technique is both simple and effective. Position-independent code is embedded into legitimate EXE and DLL files, executing directly from the .text section. Resources are padded with BMP headers, followed by encrypted payloads. Encryption relies on XOR with a static ASCII key, often identifiable by its repeating sequence in the resource’s trailing bytes.
The initial code unpacks a second stage designed to evade analysis by using excessive jumps and junk bytes, probing its environment through fake imports and emulator-specific functions. Under normal conditions, it reconstructs and executes the payload using standard APIs such as CreateProcessW, VirtualAlloc, GetThreadContext, NtCreateThreadEx, and CreateRemoteThread. To ensure persistence, the file copies itself into a “quiet” directory, inflates with null bytes to several hundred megabytes, and registers for autostart.
Campaigns showcase familiar social engineering strategies. In Italy, copyright-infringement notices redirected victims through the t.ly shortener to Dropbox, where archives contained a PDF reader alongside a tampered DLL—ultimately deploying a variant of Lumma Stealer linked to C2 domains ending in .sbs and .cyou. In Colombia, password-protected ZIP files stored on Google Drive used the code 7771 for extraction, delivering AsyncRAT; in other cases, a “PDF” proved to be an LNK launcher that executed PowerShell to install Rhadamanthys. Filenames were deliberately localized—ranging from Spanish-language notices to French and Korean variants—to increase the likelihood of a successful lure.
Particularly alarming is the inclusion of AVKiller, a tool designed to disable security solutions. In one campaign, HeartCrypt packed AVKiller protected by VMProtect and armed with a driver bearing a compromised signature. In another, signs of cooperation between disparate groups were evident—further escalating risks to victim environments. The breadth and diversity of observed payloads underscore that while HeartCrypt is not alone in the ecosystem, its accessibility and ease of configuration make it a reliable enabler for attackers.
The conclusions are stark: HeartCrypt disguises malware as legitimate programs, employs simple yet effective encryption, exploits trust in cloud storage and link shorteners, and delivers payloads that range from common information stealers to protection-disabling utilities—substantially raising the likelihood of subsequent ransomware attacks. Defense, therefore, hinges on monitoring indicators of compromise in resource sections, flagging unusual APK/PE resource patterns, and blocking suspicious redirects to cloud-hosted links.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
