New Loader Executing TorNet and PureHVNC

Oct. 31, 2025, 11:22 a.m.

Description

A new malware loader discovered in May 2025 executes two malware families: TorNet and PureHVNC. The loader uses API hashing with MurmurHash2 and implements persistence through registry modifications. It decrypts and decompresses payloads using AES-128-ECB and LZMA, then injects them into a suspended jsc.exe process. TorNet, a downloader malware, communicates via TOR network, while PureHVNC is a commercial RAT allowing remote access. Both malware use Protocol Buffers for configuration deserialization. The loader's unique characteristics include its dual payload execution and API hashing implementation, indicating potential future attack techniques.

External References

https://sect.iij.ad.jp/en/2025/10/loader-executing-tornet-and-purehvnc/
https://otx.alienvault.com/pulse/6904820b4fdb3fddd4d310fd
Tags
loader
purehvnc
code injection
tornet
2025-10-31
murmurhash2

Date

  • Created: Oct. 31, 2025, 9:31 a.m.
  • Published: Oct. 31, 2025, 9:31 a.m.
  • Modified: Oct. 31, 2025, 11:22 a.m.

Attack Patterns

  • TorNet
  • PureHVNC