Zoho WorkDrive Exploited by Threat Actors to Distribute Obfuscated PureRAT Malware

eSentire’s Threat Response Unit (TRU) has uncovered a highly sophisticated attack campaign leveraging Zoho WorkDrive to deliver the increasingly prevalent PureRAT malware, targeting a certified public accounting firm in the United States in May 2025.

This operation highlights the evolving tactics of cybercriminals, who are combining social engineering, advanced obfuscation, and bypass techniques to breach well-defended organizations.

Social Engineering & Delivery via Zoho WorkDrive

The threat actors gained initial access by impersonating a potential client, sending a convincingly crafted PDF via email.

The PDF embedded a link to a Zoho WorkDrive folder, Zoho’s legitimate cloud-based file sharing platform hosted at zohoexternal[.]com.

The file set included innocuous-looking items such as driving licenses and tax documents for credibility, plus an executable with a double extension (e.g., Tax_Organizer2024.pdf.exe) designed to fool users on Windows systems that hide file extensions by default.

The zip archive contained a legitimate executable (“hpreader.exe”, by Haihaisoft Limited) alongside a malicious DLL, renamed as “CriticalUpdater0549303.dll”. This technique, known as DLL sideloading, tricked the legitimate application into executing the malicious code.

Technical Details: Obfuscation with Ghost Crypt and Process Injection

Key to the campaign’s efficacy is the use of a new crypter called Ghost Crypt, first advertised on underground forums in April 2025.

Ghost Crypt enables the packing of both EXE and DLL files, guaranteeing antivirus and EDR evasion. It also offers a “three-day survival guarantee” and integrates with Kleenscan a tool that allows attackers to test their malware against major AV engines.

The malicious DLL was encrypted using a customized ChaCha20 algorithm, differing from its standard implementation to further obscure analysis.

Once decrypted, Ghost Crypt deployed a stealthy process hypnosis injection technique: launching the legitimate Windows binary csc.exe In debug mode, injecting the PureRAT payload via VirtualAllocEx and WriteProcessMemory, and patching Windows 11’s anti-injection safeguards by tampering with the ZwManageHotpatch function.

Control was handed over to the malware loader using the SetThreadContext and DebugActiveProcessStop APIs.

Focus: Stealing Crypto and Establishing Control

Once running, PureRAT collected system information and specifically targeted browser extensions and desktop applications tied to cryptocurrency wallets and Telegram.

It scanned for Chrome, Edge, Brave, and over a dozen Chromium-based browsers, targeting wallet extensions and stealing credentials or keys when found.

Conclusion & Recommendations

This attack exemplifies the need for vigilance against social engineering and the sophistication of modern crypters and malware delivery techniques.

eSentire TRU recommends organizations enable file extension visibility in Windows, invest in phishing awareness training, and deploy advanced EDR solutions for rapid threat detection and response.

The full TRU Positives report includes detailed indicators of compromise and further technical insights to aid defenders.