This new malware loader, identified in May 2025, is designed to execute two malware payloads: TorNet and PureHVNC. TorNet functions as a downloader malware that communicates via the TOR network, enabling anonymized command and control (C2) communications, complicating detection and attribution. PureHVNC is a commercial RAT that provides attackers with remote access capabilities, including screen capture, file transfer, and command execution. The loader employs MurmurHash2 for API hashing, a technique that obscures API calls by hashing function names, thereby evading signature-based detection. Persistence is achieved through registry modifications, ensuring the loader runs on system startup. The loader decrypts payloads using AES-128 in ECB mode and decompresses them with LZMA, then injects these payloads into a suspended instance of jsc.exe, a legitimate Windows process, to evade behavioral detection and sandbox analysis. Both malware families utilize Protocol Buffers for configuration deserialization, which is a compact and efficient data serialization format, allowing flexible and complex configurations. Indicators of compromise include multiple file hashes and IP addresses linked to the loader and payloads. Although no active exploits have been reported, the loader’s design indicates a potential for stealthy, multi-stage attacks that could be leveraged in targeted intrusions or espionage campaigns. The use of TOR for C2 and a commercial RAT suggests a focus on maintaining long-term access and anonymized communications.

For European organizations, this threat poses significant risks primarily related to confidentiality and integrity. The PureHVNC RAT enables attackers to gain persistent remote access, potentially leading to data exfiltration, espionage, or disruption of operations. The TorNet downloader can facilitate the delivery of additional malicious payloads, escalating the attack’s impact. The use of TOR network communications complicates network-based detection and attribution, increasing the difficulty of incident response. The loader’s stealth techniques, including API hashing and process injection into jsc.exe, reduce the likelihood of early detection, allowing attackers to maintain a foothold for extended periods. Critical infrastructure, government agencies, and enterprises with sensitive data in Europe could be targeted due to the advanced capabilities of the malware. The threat could also be leveraged for supply chain attacks or to establish beachheads for ransomware or other destructive malware. The medium severity rating reflects the current lack of widespread exploitation but acknowledges the loader’s sophisticated capabilities and potential for serious impact if deployed in targeted attacks.

European organizations should implement advanced endpoint detection and response (EDR) solutions capable of detecting API hashing and unusual process injection behaviors, particularly into legitimate processes like jsc.exe. Monitoring registry changes for persistence mechanisms is critical. Network defenses should include monitoring for TOR network traffic, which is uncommon in most enterprise environments, to identify potential C2 communications. Deploy strict application whitelisting to prevent unauthorized execution of unknown loaders and RATs. Use threat intelligence feeds to block known malicious IP addresses and file hashes associated with this loader and its payloads. Employ behavioral analytics to detect anomalous decryption and decompression activities indicative of malware unpacking. Regularly update and patch Windows systems to reduce the attack surface, even though no specific vulnerabilities are currently exploited. Conduct user training to recognize phishing or social engineering attempts that could deliver such loaders. Finally, implement network segmentation to limit lateral movement if compromise occurs and maintain offline backups to recover from potential data loss.