{
	"id": "a31b6b7d-e6d9-4623-a611-459120831b64",
	"created_at": "2026-04-06T00:16:55.879135Z",
	"updated_at": "2026-04-10T03:20:57.722393Z",
	"deleted_at": null,
	"sha1_hash": "2db1b4e539d976c33c386626df178737c7d40adb",
	"title": "Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2510273,
	"plain_text": "Water Basilisk Uses New HCrypt Variant to Flood Victims with\r\nRAT Payloads\r\nPublished: 2021-09-20 · Archived: 2026-04-05 13:12:59 UTC\r\nIn this blog entry we look into a fileless campaign that used a new HCrypt variant to distribute numerous remote\r\naccess trojans (RATs) in victim systems. This new variant also uses an updated obfuscation mechanism which we\r\ndetail.\r\nBy: Aliakbar Zahravi, William Gamazo Sanchez Sep 20, 2021 Read time: 5 min (1415 words)\r\nWe encountered a fileless campaign that used a new HCrypt variant to distribute numerous remote access trojans\r\n(RATs) in victim systems. This new variant uses a newer obfuscation mechanism compared to what has been\r\nobserved in past reports. It reached the peak of activity in the middle of August 2021.\r\nHCrypt is a crypter and multistage generator that is considered difficult to detect. It is identifiedopen on a new tab\r\nas a crypter-as-a-service, paid for by threat actors to load a RAT (or in this case RATs) of their choosing. The\r\ncampaign also showed new obfuscation techniques and attack vectors, different from those that were observed in\r\nthe past.\r\nOverview of the Water Basilisk campaign\r\nIn this campaign, which we have labelled Water Basilisk, the attacker mostly used publicly available file hosting\r\nservices such as “archive.org”, “transfer.sh”, and \"discord.com\", to host the malware while hacked WordPress\r\nwebsites were used to host phishing kits.\r\nThe malicious file is hidden as an ISO that is distributed through a phishing email or website. This file contains an\r\nobfuscated VBScript stager responsible for downloading and executing the next stage of the VBScript content\r\nonto the infected system memory.\r\nThe final stage is an obfuscated PowerShell script that contains the payloads and is responsible for deobfuscating\r\nand injecting them into the assigned process. In some cases, the final stage PowerShell script contained up to\r\nseven various RATs. These are typically NjRat, BitRat, Nanocore RAT, QuasarRat, LimeRat, and Warzone.\r\nHCrypt version 7.8\r\nIn a nutshell, Water Basilisk’s attack chain is a combination of the VBScript and PowerShell commands. HCrypt\r\ncreates various obfuscated VBScripts and PowerShell to deliver or inject the final payload into a given process in\r\na victim system. The latest version of this crypter is 7.8, based on what we have seen in its builder and website.\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 1 of 12\n\nFigure 1. The HCrypt v7.8 builder\r\nFigure 2. HCrypt v7.8 updates that also list RAT variants and the purchase price\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 2 of 12\n\nFigure 3. HCrypt v7.8 on Sellix\r\nAs can be seen in Figures 1 to 3, HCrypt 7.8 is being sold for US$199. Figure 2 also lists, as part of an update, the\r\nvarious RATs that can be loaded using this variant that we mentioned earlier.\r\nAttack analysis\r\nThis section discusses how this version works. Figure 4 summarizes Water Basilisk. The infection chain goes as\r\nfollows:\r\nA phishing email or website tricks a user into downloading and executing the malicious ISO file that\r\ncontains  the initial VBScript stager\r\nThe initial VBScript downloads and executes the next stage VBScript content via a PowerShell command\r\nin memory\r\nThe downloaded VBScript would be responsible for achieving persistence on the victim system and\r\ndownloads and executes the final stage via a PowerShell command in memory\r\nThe final stage PowerShell is responsible for deobfuscating and injecting the payload (RATs) into the given\r\nprocess\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 3 of 12\n\nFigure 4. An overview of the attack\r\nThis campaign uses two different attack vectors: phishing websites and emails. Both have the same infection\r\nchain, which we have already described. The attack begins with the malicious ISO image file.\r\nWe can assume two reasons why this attack uses ISO files. One is how ISO images tend to have larger file sizes,\r\nmaking it so that email gateway scanners would not be able to scan ISO file attachments properly. Another is how\r\nopening an ISO file in new operating systems is as simple as double-clicking the file, due to native IOS mounting\r\ntools. This improves the chances of a victim opening the file and infecting their system.\r\nAs we have also mentioned, and as seen in Figure 4, an interesting aspect of this attack is how HCrypt developers\r\nhost stager scripts were hosted from public file hosting services such as Transfer.sh and Internet Archive\r\n(archive.org). Once the ISO file is opened the needed scripts are downloaded from this hosting archive. Figure 5 is\r\nan example of the archive.org account used to host scripts.\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 4 of 12\n\nFigure 5. The archive.org account hosting the loader’s scripts\r\nFigure 6. The archive.org account hosting the loader’s scripts\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 5 of 12\n\nFigure 7 shows an example of the hacked WordPress website that hosts a phishing kit that downloads the\r\n“Spectrum Bill.iso” file. Figure 8 shows the malicious content added by the attacker in the said website.\r\nFigure 7. The phishing website used in this campaign\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 6 of 12\n\nFigure 8. Malicious content uploaded by the attacker\r\nThe “Spectrum Bill.iso” file contains an HCrypt obfuscated VBScript stager that is responsible for downloading\r\nand executing the next stage via a PowerShell command. We note here that, with the exception of this second\r\nstage for persistence, all scripts, PowerShell, and binaries are fileless and execute in memory.\r\nFigure 9. “Spectrum Bill.iso” content\r\nFigure 10. \"Spectrum Bill.vbs\" content and cleanup code\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 7 of 12\n\nThe downloaded content in memory, “bx25.txt,” is another obfuscated HCrypt VBScript. As mentioned, this code\r\nis for achieving persistence and is the only one not executed in memory. It achieves persistence by creating the file\r\nC:\\Users\\Public\\Run\\Run.vbs, adding it to the Startup path, and downloading and executing the final stage in\r\nmemory.\r\nEach time an infected computer starts, the malware downloads the latest payload(s) from the given URL. The\r\nattacker can therefore change the final payload(s) and its command and control (C\u0026C) server easily, reducing\r\ntheir fingerprints on an infected system.\r\nFigure 11. The cleaned code of bx.25, the second VBScript stage for persistenc\r\nRun.vbs (“dx25.txt”) is the final stage PowerShell that contains the final payload(s). This executes on an infected\r\nsystem memory and its responsible for deobfuscating, loading, and injecting payload(s) into the given hardcoded\r\nlegitimate process. In some cases, the malware loads up to seven RATs on an infected system. The snippet in\r\nFigure 12 demonstrates this behaviour of the malware.\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 8 of 12\n\nFigure 12. The code of the file dx25.txt, the PowerShell loader\r\nAmong the loaded binaries is a DLL injector called “VBNET,” which reflectively loads a .NET PE payload in a\r\nselected .NET legitimate process. In Figure 12, $HH1 is a VBNET PE injector DLL and $HH5 contains a\r\nPowerShell command to pass a final malware payload ($HH3) into the given process, which is\r\n“aspnet_regbrowsers.exe.”\r\nTo automate the final payload extraction we developed a Python script to deobfuscated and extract the payloads\r\nfrom the final PowerShell stage which simply accept a directory  where an obfuscated PowerShell script are stored\r\nand output directory where the extracted payload will be stored. The Python script can be viewed here.\r\nBitcoin and Ethereum Hijacker\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 9 of 12\n\nWe were also able to observe Bitcoin/Ethereum address hijacker binaries among the loaded RATs in an infected\r\nsystem. These binaries search the victim’s clipboard content for Bitcoin and Ethereum addresses using regex, then\r\nreplaces them with the attacker’s own address. Figure 13 shows where the binary can be generated in the HCrypt\r\ninterface.\r\nFigure 13. HCrypt builder interface showing where to start generating the hijacker binaries\r\nBy default, the HCrypt stealer builder shows built-in Ethereum and Bitcoin addresses, likely belonging to the\r\nmalware’s author.\r\nFigure 14. Built-in Ethereum and Bitcoin addresses, potentially belonging to the author(s), seen here\r\nas “HBankers”\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 10 of 12\n\nFigure 15. Using regex to search for Bitcoin and Ethereum addresses in the victim’s clipboard\r\ncontent\r\nFigure 16. The HCrypt builder where the user (attacker) can only choose either Bitcoin or Ethereum\r\nThe stealer builder will only accept one option, either Bitcoin or Ethereum, from a user. As shown in the example\r\nin Figure 16, in such a scenario the crypto address hijacker will replace the victim’s Ethereum address with\r\n“1111111,” generate the payload, and replace the bitcoin address with the HCrypt builder author’s (HBankers)\r\naddress. Overall, this shows the HCrypt’s developers’ attempt to also make a profit from attacks that use this\r\nloader.\r\nConclusion\r\nThis case shows how cybercriminals can take an advantage of crypter tools, such as HCrypt, to dynamically\r\ndistribute malware. HCrypt also shows signs of undergoing active development. It would be best to anticipate\r\nnewer versions to cover more RAT variants and an updated obfuscation algorithm to reduce the chances of\r\ndetection.\r\nOrganizations should also remain vigilant against phishing tactics that remain a staple in cyberattacks. Users\r\nshould be wary of opening ISO files, especially from suspicious sources, as threat actors have used image files in\r\ntheir campaigns before. They are too easy to open and can bypass email gateway scanners, giving users less\r\nchances to consider whether the file is malicious. \r\nOrganizations can also consider security solutions that provide  a multilayered defense systemproducts that helps\r\nin detecting, scanning, and blocking malicious URLs.\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 11 of 12\n\nThe indicators of compromise (IOCs) can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.htm\r\nl\r\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html\r\nPage 12 of 12\n\nhttps://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html   \nFigure 5. The archive.org account hosting the loader’s scripts\nFigure 6. The archive.org account hosting the loader’s scripts\n  Page 5 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html"
	],
	"report_names": [
		"Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434615,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2db1b4e539d976c33c386626df178737c7d40adb.pdf",
		"text": "https://archive.orkl.eu/2db1b4e539d976c33c386626df178737c7d40adb.txt",
		"img": "https://archive.orkl.eu/2db1b4e539d976c33c386626df178737c7d40adb.jpg"
	}
}