HeartCrypt's Wholesale Impersonation Effort
Sophos, Friday, September 26th, 2025
How the notorious Packer-as-a-Service operation built itself into a hydra
Over the past year and a bit more, we've monitored a constellation of events that share a set of general attributes:
- Malware impersonating, subverting, and embedding itself in legitimate software applications
- Position-independent loader code (PIC) injected near package entry points, overwriting the original code
- Encrypted malicious payloads inserted as an additional resource
- Use of a simple encryption algorithm (XOR), with a static key using ASCII characters
- Payloads belonging to common RATs (remote-access Trojans) or credential/info stealer families
- Password-protected archives hosted in Google Drive (on a compromised account) and linked from email
We ultimately concluded that these cases were all connected to what has come to be known as the HeartCrypt packer-as-a-service (PaaS) operation. After publishing multiple articles on specific investigations, in this post we take a deeper dive into our cumulative findings, and see glimpses of the malware as a young pest.