1. Home
  2. Software
  3. HeartCrypt

HeartCrypt

HeartCrypt is a packer-as-a-service (PaaS) used to protect malware that has been available since at least 2024. HeartCrypt has been used to pack a variety of malware including Lumma Stealer, Remcos, and Rhadamanthys. In the HeartCrypt PaaS model, customers submit malware via private messaging services and it is then packed and returned by the operator as a new binary.[1]

ID: S9018
Type: MALWARE
Platforms: Linux, Windows
Version: 1.0
Created: 16 April 2026
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

HeartCrypt can set the CurrentVersion\Run key to establish persistence.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

HeartCrypt can use the reg add command via cmd.exe for Registry modification.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

HeartCrypt can decrypt payloads prior to execution.[1][2]
Enterprise T1036 .008 Masquerading: Masquerade File Type

HeartCrypt can append a BMP header to encoded malicious payloads to masquerade them as BMP files.[1]
Enterprise T1106 Native API

HeartCrypt can use Windows API functions to modify the Registry and FindResourceW, LoadResource, and LockResource to acquire a pointer to corresponding code resources.[1]
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

HeartCrypt can add several hundred thousand kilobytes of null padding to payloads before saving onto the file system.[1]
.002 Obfuscated Files or Information: Software Packing

HeartCrypt can pack malicious Windows x86 and .NET payloads in order to evade detection.[1][2]
.013 Obfuscated Files or Information: Encrypted/Encoded File

HeartCrypt strings are encrypted via a single-byte XOR operation rotating over a hard-coded key, possibly provided by the PaaS customers. [1]
Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

HeartCrypt has the ability to use NtQueueApcThread as an alternate method for process injection.[1]
.012 Process Injection: Process Hollowing

For .NET payloads, HeartCrypt can use process hollowing to inject into processes spawned by csc.exe or AppLaunch.exe.[1]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

HeartCrypt will attempt to load non-existent DLLs in attempt to detect sandbox creation of a dummy DLL to prevent the program from crashing.[1]

Groups That Use This Software

ID Name References
G0099 APT-C-36

APT-C-36 has used HeartCrypt in Remcos infection chains.[2]

References

  1. Tujague, J., Bunce, D. (n.d.). Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation. Retrieved April 16, 2026.
  1. Check Point Research. (2025, March 10). Blind Eagle: …And Justice for All. Retrieved April 16, 2026.