New Loader Executing TorNet and PureHVNC

SUMMARY :

A new malware loader discovered in May 2025 executes two malware families: TorNet and PureHVNC. The loader uses API hashing with MurmurHash2 and implements persistence through registry modifications. It decrypts and decompresses payloads using AES-128-ECB and LZMA, then injects them into a suspended jsc.exe process. TorNet, a downloader malware, communicates via TOR network, while PureHVNC is a commercial RAT allowing remote access. Both malware use Protocol Buffers for configuration deserialization. The loader's unique characteristics include its dual payload execution and API hashing implementation, indicating potential future attack techniques.

OPENCTI LABELS :

tornet,purehvnc,loader,code injection,murmurhash2


AI COMMENTARY :

1. The recent uncovering of a loader in May 2025 introduces a novel method for deploying two potent malware families under the guise of a single executable. This loader leverages API hashing routines driven by MurmurHash2 to obscure its genuine functionality and implements persistence through strategic registry modifications. Researchers first observed the loader initiating a suspended instance of jsc.exe and then dynamically injecting its payloads, showcasing a level of sophistication that hints at future refinement.

2. At the core of this loader’s operation lies a decryption and decompression workflow that relies on AES-128-ECB and LZMA algorithms. After extracting the concealed data, the loader deserializes configuration files using Protocol Buffers, ensuring flexible delivery of parameters that control its behavior. The use of murmurhash2 for API resolution demonstrates an intent to evade static analysis and complicate detection efforts by security platforms.

3. Once deployed, the loader sequentially executes two distinct malware families: TorNet and PureHVNC. TorNet functions as a downloader module, quietly fetching additional components and updates over the TOR network. Its encrypted channels and stealthy communication patterns make it difficult to trace or block. Following TorNet’s activation, PureHVNC takes the stage. As a commercial remote access trojan, PureHVNC grants adversaries full control over compromised machines, enabling data exfiltration, credential harvesting, and lateral movement in enterprise environments.

4. The dual payload execution strategy exemplifies an emerging trend in threat actor toolbox consolidation. By combining a downloader with a full-featured RAT, operators can rapidly pivot from initial foothold to full-scale intrusion. The integration of code injection into a legitimate process further enhances the loader’s ability to remain undetected. Security teams should note that these tactics indicate potential evolution toward multi-stage, multi-payload frameworks designed to bypass conventional defenses.

5. In response to this threat, organizations must strengthen their defensive posture through rigorous monitoring of registry changes, scrutiny of process injections, and analysis of anomalous network traffic over the TOR network. Implementing heuristics or signatures that detect murmurhash2 API hashing patterns can improve early warning capabilities. Endpoint protections that inspect memory operations for AES-ECB decryption and LZMA unpacking routines will further mitigate the risk posed by this loader and its TorNet and PureHVNC descendants.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New Loader Executing TorNet and PureHVNC