Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 330, Issue 4IT Vendor NewsSophos

HeartCrypt's Wholesale Impersonation Effort

Sophos, Friday, September 26th, 2025

How the notorious Packer-as-a-Service operation built itself into a hydra

Over the past year and a bit more, we've monitored a constellation of events that share a set of general attributes:

  • Malware impersonating, subverting, and embedding itself in legitimate software applications
  • Position-independent loader code (PIC) injected near package entry points, overwriting the original code
  • Encrypted malicious payloads inserted as an additional resource
  • Use of a simple encryption algorithm (XOR), with a static key using ASCII characters
  • Payloads belonging to common RATs (remote-access Trojans) or credential/info stealer families
  • Password-protected archives hosted in Google Drive (on a compromised account) and linked from email

We ultimately concluded that these cases were all connected to what has come to be known as the HeartCrypt packer-as-a-service (PaaS) operation. After publishing multiple articles on specific investigations, in this post we take a deeper dive into our cumulative findings, and see glimpses of the malware as a young pest.

more →  ·  More from Sophos →