[[{“value”:”
Cybersecurity researchers have uncovered a sophisticated malware crypter known as Pure Crypter that has evolved to specifically target and bypass the enhanced security measures introduced in Windows 11 24H2.
This advanced malware packaging tool represents a significant escalation in the ongoing cat-and-mouse game between threat actors and operating system security enhancements, demonstrating how quickly malicious actors adapt to new defensive mechanisms.
Pure Crypter functions as a comprehensive malware delivery platform that combines multiple evasion techniques to ensure successful payload execution while evading detection by modern security solutions.
.webp)
The crypter employs an arsenal of anti-analysis and anti-detection methods, including Anti-Malware Scan Interface (AMSI) bypassing, dynamic link library (DLL) unhooking, execution delays, and sophisticated persistence mechanisms that allow malware to maintain a foothold on infected systems.
eSentire analysts identified this malware during their threat hunting operations and noted that Pure Crypter has undergone significant updates specifically designed to counter the security improvements implemented in Windows 11 build 26100, also known as 24H2.
The researchers observed that the malware authors added new functionality in January 2025 to address changes in the operating system that previously prevented certain injection techniques from functioning effectively.
The impact of Pure Crypter extends beyond traditional malware delivery, as it enables threat actors to deploy various types of malicious payloads including ransomware, information stealers, and remote access trojans while maintaining stealth and persistence.
.webp)
The crypter’s modular design allows cybercriminals to customize their attacks based on specific targets and operational requirements, making it a versatile tool in the modern threat landscape.
Advanced Process Injection Techniques for Windows 11 24H2
One of Pure Crypter’s most notable innovations lies in its adaptation to overcome the security enhancements introduced in Windows 11 24H2, particularly regarding process hollowing techniques.
.webp)
The malware developers recognized that traditional process injection methods were being blocked by the newer operating system builds and implemented a sophisticated workaround that specifically targets the NtManageHotPatch API.
.webp)
The crypter first performs a system check to determine if the target machine is running Windows 11 build 26100 or newer by querying the registry key “SOFTWAREMicrosoftWindows NTCurrentVersion” and comparing the CurrentBuild value.
If the system is identified as 24H2 or later, Pure Crypter initiates a memory patching routine that modifies the NtManageHotPatch function to bypass the new security restrictions.
The patching process involves writing specific byte sequences to memory that effectively neutralize the API’s protective mechanisms. For 64-bit systems, the malware writes the bytes “184, 187, 0, 0, 192, 195” while 32-bit systems receive “184, 187, 0, 0, 192, 194, 16, 0”.
This technique requires careful memory management, including changing memory permissions using VirtualProtectEx, writing the patch bytes with WriteProcessMemory, and flushing the instruction cache to ensure the modifications take effect.
The implementation demonstrates a deep understanding of Windows internals and represents a significant evolution in malware evasion techniques.
By successfully patching NtManageHotPatch, Pure Crypter enables its RunPE (process hollowing) functionality to work on the latest Windows 11 builds, allowing threat actors to inject malicious code into legitimate processes and evade detection by security solutions that rely on behavioral analysis of process creation and memory allocation patterns.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
The post Pure Crypter Employs Multiple Evasion Techniques To Bypass Windows 11 24H2 Security Features appeared first on Cyber Security News.
“}]]
Read More Cyber Security News