Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

PureCrypter Deploys Agent Tesla and New TorNet Backdoor in Ongoing Cyberattacks

The Hacker News by The Hacker News
January 28, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jan 28, 2025Ravie LakshmananPhishing Attack / Network Security

A financially motivated threat actor has been linked to an ongoing phishing email campaign that has been ongoing since at least July 2024 specifically targeting users in Poland and Germany.

The attacks have led to the deployment of various payloads, such as Agent Tesla, Snake Keylogger, and a previously undocumented backdoor dubbed TorNet that’s delivered by means of PureCrypter. TorNet is so named owing to the fact that it allows the threat actor to communicate with the victim machine over the TOR anonymity network.

“The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence,” Cisco Talos researcher Chetan Raghuprasad said in an analysis published today.

Cybersecurity

“The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.”

The starting point of the attacks is a phishing email bearing fake money transfer confirmations or order receipts, with the threat actor masquerading as financial institutions and manufacturing and logistics companies. Attached to these messages are files with the extension “.tgz” in a likely attempt to evade detection.

Opening the compressed email attachment and extracting the archive contents leads to the execution of a .NET loader that, in turn, downloads and runs PureCrypter directly in memory.

The PureCrypter malware then proceeds to launch the TorNet backdoor, but not before performing a series of anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine to fly under the radar.

“The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network,” Raghuprasad noted. “It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions.”

Cybersecurity

The disclosure comes days after the threat intelligence firm said it observed a surge in email threats leveraging hidden text salting in the second half of 2024 with an intent to sidestep brand name extraction by email parsers and detection engines.

“Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords,” security researcher Omid Mirzaei said. “The idea is to include some characters into the HTML source of an email that are not visually recognizable.”

To counter such attacks, it’s recommended to develop advanced filtering techniques that can detect hidden text salting and content concealment, including detecting use of CSS properties like “visibility” and “display,” and adopt visual similarity detection approach (e.g., Pisco) to enhance detection capabilities.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Cisco Taps Former Splunk Leader Raj Juneja As Canadian President

Cisco Taps Former Splunk Leader Raj Juneja As Canadian President

Recommended.

Labour puts Humphrey AI to work for council admin | Computer Weekly

Labour puts Humphrey AI to work for council admin | Computer Weekly

May 23, 2025
Lemhi Launches Platform to Help MSPs Turn AI Into Recurring Revenue

Lemhi Launches Platform to Help MSPs Turn AI Into Recurring Revenue

June 2, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio