{ "id": "7fb0409a-cc5e-42f3-94c3-a32e8c8fba83", "created_at": "2026-04-06T00:10:25.815187Z", "updated_at": "2026-04-10T03:37:09.158008Z", "deleted_at": null, "sha1_hash": "51e94a3d294731ecba272eb673aafba68c9677f1", "title": "Pure Coder Sells Malware On Dark Web Forums", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1984394, "plain_text": "Pure Coder Sells Malware On Dark Web Forums\r\nPublished: 2022-12-27 · Archived: 2026-04-05 17:05:42 UTC\r\nCyble Research and Intelligence Labs analyzes a spam campaign dropping PureLogs stealer aimed at Italian users.\r\nItalians Users Targeted by PureLogs Stealer Through Spam Campaigns\r\nExecutive Summary\r\nDuring a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet about\r\nPureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious\r\nspam campaign at targets based in Italy on the 14th of December 2022.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 1 of 12\n\nFigure 1 – Tweet Related to PureLogs Malware\r\nThe spam email includes a link to download a password-protected zip file; the password is provided in the same email.\r\nThe zip file contains a cabinet file disguised as a batch file, which holds a malicious executable. Once the target opens the\r\nbatch file, the malware will start running on their machine.\r\nPureLogs stealer is developed by TA with the name PureCoder. The threat actor offers sales for multiple malicious\r\nsoftware programs on their website for various operations, such as miners, information stealers, VNC, and crypters. The\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 2 of 12\n\nfigure below shows the post by the Purecoder TA.\r\nFigure 2 – Purecoder Website Selling Malicious Programs\r\nThe TAs developing this malware have also posted the tool information in the cybercrime forums to attract potential\r\ncustomers. The figure below shows the TA’s post on a cybercrime forum.\r\nFigure 3 – Cyber Crime Forum Post by Threat Actors\r\nPureLogs and PureCrypt are the most impactful malwares created by PureCoder. Multiple other TAs are using these\r\nmalwares in their campaigns. Below, we have shared information regarding multiple malicious programs.\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 3 of 12\n\nPureLogs\r\nPureLogs is a malicious .NET program that developers sell at $99 for a one-year subscription. It is specifically designed to\r\nsteal browser data, crypto wallets, and various applications such as FTP Clients, email clients, and VPNs installed on a\r\nsystem. The following table shows the data targeted by PureLogs. \r\nBrowsers Crypto Wallets Crypto Wallets\r\nPasswords Armory FileZilla\r\nCookies Atomic WinSCP\r\nHistory BitcoinCore Outlook\r\nAutofill DashCore Thunderbird\r\nExtensions* Electrum DiscordToken\r\n  Ethereum Telegram\r\n  Exodus Pidgin\r\n  Jaxx InternetDM\r\n  LitecoinCore Steam\r\n  Monero OpenVPN\r\n  Zcash ProtonVPN\r\n     \r\n*Extensions: TronLink, MetaMask, Binance Chain Wallet, Yoroi, Coinbase Wallet, Jaxx Liberty, BitApp Wallet, iWallet,\r\nTerra Station, BitClip, EQUAL Wallet, Wombat, Cyano Wallet, Nifty Wallet, Math Wallet, Guarda, Coin98 Wallet,\r\nTezBox, Trezor Password Manager, EOS Authenticator, Authy, GAuth Authenticator, Authenticator.\r\nThe figure below illustrates the post related to PureLogs Stealer.\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 4 of 12\n\nFigure 4 – PureLogs Stealer Post by PureCoder\r\nPureCrypter\r\nPureCrypter malware has been observed distributing multiple RATs and information stealers. It is a .NET-based\r\nexecutable, obfuscated with SmartAssembly, that is further protected with compression, encryption, and obfuscation to\r\nmake it difficult to detect.\r\nThe malware is sold for $59 for a one-month subscription. Zscaler has provided a deeper technical analysis of the\r\nPureCrypter in a blog. The figure below shows TA’s post.\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 5 of 12\n\nFigure 5 – PureCrypter Post by Purecoder\r\nPureMiner\r\nThis is a hidden stealth silent miner; an attacker can use it for bots or spread it, and it will automatically mine ETHW or\r\nBTC to TAs wallet. TAs are currently providing PureMiner for $99. The following are the features provided by\r\nPureMiner:\r\nETHW, ETC, XMR, ERGO, BTC, RVN, KASPA, FLUX MINING\r\nPROXY ETHW AND ETC MINING\r\nDETECTS IF THE USER IS IDLE OR PLAYING GAMES\r\nDOWNLOAD AND EXECUTE A FILE OR UPDATE\r\nRUNS ON RAM, NO DROPPING FILES\r\nBOT KILLER\r\nSTARTUP\r\nCRYPTABLE WITH PURE CRYPTER\r\nHIGH-QUALITY STUB 64bit CODED IN .NET 4.0\r\nThe figure below shows the post by the TA.\r\nFigure 6 – PureMiner Post by Purecoder\r\nBlueLoader\r\nAccording to the developers, the BlueLoader botnet can manage a sizable quantity of bots, start up again automatically,\r\nlaunch DDoS attacks, and also possess a bot-eliminating capability. BlueLoader is sold for $99 by TAs. The figure below\r\nshows the post by TAs.\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 6 of 12\n\nFigure 7 – BlueLoader Post by Purecoder\r\nPureHVNC\r\nPure HVNC is a hidden stealth VNC used to control systems covertly. TAs are selling one-year subscriptions for $99. The\r\nfeatures TAs as posted on the blog are:\r\nHVNC Support\r\nCHROME\r\nEDGE\r\nBRAVE\r\nFIREFOX\r\nOUTLOOK\r\nFOXMAIL\r\nCMD\r\nPOWERSHELL\r\nCLIPBOARD COPY PASTE\r\nCHANGE DPI\r\nRun Program\r\nTASK MANAGER\r\nFILE MANAGER\r\nDOWNLOAD AND EXECUTE A FILE OR UPDATE STUB\r\nRUNS ON RAM, NO DROPPING FILES\r\nSTARTUP\r\nCRYPTABLE WITH PURE CRYPTER\r\nHIGH-QUALITY STUB CODED IN .NET 4.0\r\nThe figure below shows the TA’s post.\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 7 of 12\n\nFigure 8 – PureHVNC Post by Purecoder\r\nPure Logs Technical Analysis\r\nThe TA “Alibaba2044”’s malware campaign begins by sending out a malicious spam email linked to a zip file called\r\nDOC9848-14-12-2022.zip. This zip is password-protected to conceal its content and avoid detection.\r\nAdditionally, the zip file includes a Windows cabinet file that has been disguised as a bat file DOC9848_pdf.bat. When the\r\nuser clicks on this cab file, it will drop .NET-executable x.exe with sha256\r\na843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274 in the temp folder and execute it.\r\nThe figure below shows the malicious executable in the temp folder.\r\nFigure 9 – Malware Dropped in Temp Folder\r\nThe figure below shows the details of the malicious file x.exe.\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 8 of 12\n\nFigure 10 – x.exe file Details\r\nThe executable file contains a malicious custom encrypted payload in the form of an array. The data is encrypted using\r\ncustom encryption.\r\nThe following figure shows the encrypted payload in the memory.\r\nFigure 11 – Encrypted Data in the Memory\r\nThe malware decrypts the encrypted payload and stores it in memory at runtime.\r\nThe figure below shows the decrypted payload in the memory.\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 9 of 12\n\nFigure 12 – Decrypted Payload in the Memory\r\nThe decrypted payload is a PureLogs DLL file with the name “Ixqwqtt.dll” and sha256\r\ndb61b7e783969a2050c9e18b667c2a7d418d757a0c986183b8ef2f6e6eccaa48.\r\nThis malicious file is injected into running malware using Assembly.Load() method. The figure below shows the injection\r\nof malicious payload in the malware.\r\nFigure 13 – Malware Injecting the Payload using InvokeMember()\r\nConclusion\r\nWe have seen before that malware developers, with a lack of responsibility, can create malicious programs and sell them to\r\ndifferent forums for monetary gain.\r\nTo attract more customers, they provide powerful and dangerous features like information stealers, cryptocurrency miners,\r\nand HVNC to TAs. It is all for their own financial benefit. We will stay vigilant and monitor the latest threats and trends on\r\nthe surface, deep and dark web, keeping our readers updated.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below: \r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 10 of 12\n\nSafety Measures Needed to Prevent Malware Attacks\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop,\r\nand mobile. \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic. \r\nUsers Should Take the Following Steps After the Malware Attack\r\nDetach infected devices on the same network. \r\nDisconnect external storage devices if connected. \r\nInspect system logs for suspicious events. \r\nImpact And Cruciality of Malware\r\nLoss of valuable data. \r\nLoss of the organization’s reputation and integrity. \r\nLoss of the organization’s sensitive business information. \r\nDisruption in organization operation. \r\nMonetary loss. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique ID  Technique Name \r\nExecution  T1204    User Execution \r\nDefense Evasion \r\nT1140\r\nT1562\r\nDeobfuscate/Decode Files or Information\r\nImpair Defences\r\nDiscovery \r\nT1082 \r\nT1083 \r\nSystem Information Discovery \r\nFile and Directory Discovery \r\nCollection\r\nT1119\r\nT1005\r\nAutomated Collection Data from the Local System\r\nCommand and Control  T1071  Application Layer Protocol \r\nExfiltration  T1020  Automated Exfiltration \r\nIndicators of Compromise (IoCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n5e5276abac4f39ed674c8783d12212dc\r\nc055b968ae48bd35342a4aebfe6195e67529d84e\r\nMD5\r\nSHA1\r\nDOC9848-14-12-\r\n2022 .zip\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 11 of 12\n\nc59559275fb8af4bbc59d47c267a94fbe44151e40a8606414d1b1f76a99852b1 SHA256\r\n743ea515bb5bab8929c6d280a3d0feaa\r\n58326656b86f43fdaa65b5493da1cb13e7cf6a2d\r\n887cabc0d136a86a6be444883b62c90d073fd1f839896840233150475bd149c8\r\nMD5\r\nSHA1\r\nSHA256\r\nDOC9848_pdf.bat\r\n460834754a0e145320380e54400b9509\r\n992c119799b3b3899263605930bf9fc2b656afe8\r\na843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274\r\nMD5\r\nSHA1\r\nSHA256\r\nx.exe\r\n86a9edac11733b9985d977b330389593\r\n79c0f5242a3a95beeddd2761c092ed166332707c\r\ndb61b7e783969a2050c9e18b667c2a7d418d757a0c986183b8ef2f6e6eccaa48\r\nMD5\r\nSHA1\r\nSHA256\r\nIxqwqtt.dll\r\nSource: https://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nhttps://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/" ], "report_names": [ "pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434225, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51e94a3d294731ecba272eb673aafba68c9677f1.pdf", "text": "https://archive.orkl.eu/51e94a3d294731ecba272eb673aafba68c9677f1.txt", "img": "https://archive.orkl.eu/51e94a3d294731ecba272eb673aafba68c9677f1.jpg" } }