Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation

SUMMARY :

This analysis examines HeartCrypt, a new packer-as-a-service (PaaS) used to protect malware. Developed since July 2023 and launched in February 2024, HeartCrypt charges $20 per file to pack Windows x86 and .NET payloads. It is primarily used by malware operators of families like LummaStealer, Remcos, and Rhadamanthys. HeartCrypt injects malicious code into legitimate binaries and employs various obfuscation techniques to hinder analysis. The packer executes in multiple stages, using encoded resources and anti-sandbox measures. Over 2,000 malicious payloads across 45 malware families have utilized HeartCrypt, highlighting the increasing commoditization of malware development and the need for proactive threat hunting.

OPENCTI LABELS :

process hollowing,xworm,remcos,rhadamanthys,redline stealer,quasar rat,vidar stealer,lummastealer,anti-sandbox,heartcrypt,packer-as-a-service


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation