Zoho WorkDrive Abused to Unleash PureRAT Malware

In May 2025, a targeted cyberattack against a U.S.-based Certified Public Accounting (CPA) firm revealed an evolving malware distribution method using Zoho WorkDrive.

The attackers leveraged a new crypter, Ghost Crypt, to obfuscate and deploy PureRAT, a powerful Remote Access Trojan, through a social engineering-driven campaign. The infection chain involved sideloading, stealthy DLL injection, and encrypted communications via a fake X.509 certificate. Ghost Crypt’s obfuscation capabilities made the payload highly evasive, bypassing most defenses.

Severity Level: High

Threat Summary

1. Malware Used: PureRAT
2. Crypter: Ghost Crypt (offered on underground forums since April 2025)
3. Infection Mechanism: Social engineering email → Zoho WorkDrive payload → .zip file with decoy and disguised .exe → DLL sideloading → PureRAT injection
4. Affected Regions: United States
5. Affected Sectors: Financial services
6. Targeted Product: Zoho WorkDrive

Attack Flow

1. Initial Access

• Vector: Social engineering email posing as a new client.
• Payload Delivery: Link to a Zoho WorkDrive-hosted ZIP archive

2. Payload Execution

• Contents: ZIP contains fake documents and a double-extension executable (document.pdf.exe).
• Execution: Launches legitimate hpreader.exe, which sideloads a malicious DLL (CriticalUpdater0549303.dll).

3. Payload Decryption (Ghost Crypt)

• Crypter: Ghost Crypt decrypts PureRAT in memory using custom ChaCha20 encryption.
• Evasion: Designed to bypass AV and EDR.

4. Code Injection (Process Hypnosis)

• Technique: Injects PureRAT into a legitimate system process (csc.exe).
• API Functions Involved: CreateProcessW, VirtualAllocEx, WriteProcessMemory, and SetThreadContext.

5. Persistence

• Registry Key: Created in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
• DLL Drop: Malicious DLL placed in the user’s Documents folder

6. Command & Control + Exfiltration

• Encryption: C2 traffic secured with forged X.509 certificate and RSA-4096.
• Data Targeted:
  • Browser credentials (Chrome, Edge, Brave)
  • Crypto wallets (Ledger Live, Exodus, Atomic Wallet)
  • Desktop messengers (e.g., Telegram)

Recommendations

1. Enable the display of file extensions in Windows settings. This helps users spot double extension tricks (like pdf.exe), making it harder for attackers to disguise malicious files.
2. Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees on the risks associated with downloading software from unofficial sources.
3. Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats.
4. Although no CVEs exploited, maintain regular patch cycles for all third-party apps and OS components to reduce attacker movement options.
5. Disable macros and executable launches from archives received via email.
6. Apply least-privilege access to file execution rights.
7. Block the IOCs at their respective controls.
   https://www.virustotal.com/gui/collection/c74fa8a30625779f64102e8cd8394c067a7945ad4244fc6e661a703969e9581a/iocs

Source:

• https://gbhackers.com/cybercriminals-use-zoho-workdrive-folders/
• https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.