MagicSword | Prevent Modern Malware Attacks

For the past 18 months, major ransomware groups have been using a commercial packer service called HeartCrypt to consistently defeat endpoint detection and response (EDR) tools. Our research team at MagicSword has been tracking this campaign, building on initial research published bySophos in May 2024, and the findings are alarming:

89+ malicious driver variants are still successfully loading on Windows systems using certificates that were revoked nearly a decade ago.

The groups using HeartCrypt, including RansomHub, BlackSuit, and MedusaLocker are leveraging a fundamental flaw in how Windows validates driver signatures. Even worse, they're doing this through a turnkey service that requires minimal technical expertise.

What HeartCrypt Does

Think of HeartCrypt as "malware delivery-as-a-service." Ransomware operators simply pay HeartCrypt to:

Package their ransomware so it evades antivirus detection
Bundle EDR-killing drivers that terminate security products before encryption
Sign malicious code with stolen certificates that Windows still trusts
Provide ongoing updates as security vendors catch up

This isn't sophisticated nation-state tradecraft, it's a commercial service that's made EDR evasion accessible to mid-tier criminal groups.

The Attack Pattern

When HeartCrypt-packed ransomware hits, your defenses fail in a predictable sequence:

Initial compromise (via phishing, RDP brute force, or exploits like the recent SimpleHelp vulnerability CVE-2025-0282)
HeartCrypt loader drops onto the system, appearing as a legitimate application
Malicious driver extracts and loads, signed with a certificate Windows accepts
Your security tools are terminated at the kernel level
Ransomware deploys with zero visibility from your EDR

By the time your security team realizes something is wrong, the attacker has already disabled your defenses and encrypted your data.

The Certificate Problem That Won't Go Away

Here's the technical reality: MagicSword extracted the complete certificate details for the most commonly abused signing certificate in the HeartCrypt arsenal:

Certificate: Changsha Hengxiang Information Technology Co., Ltd.

Revoked: 2016 (9 years ago!)
Current Status: Still loading drivers on Windows systems in 2025
Malware Variants: 89+ identified samples using this exact certificate

The driver often masquerades as CrowdStrike's Falcon Sensor (CSAgent.sys) a technique documented in detail by Sophos's X-Ops team. To an administrator doing a quick check, it looks legitimate. But it's actually terminating CrowdStrike, Sophos, SentinelOne, and other EDR products.

Why Does This Still Work?

Windows has a design flaw in driver validation. If certificate revocation checks fail or time out (which happens often), Windows assumes the certificate is fine and loads the driver anyway.

Result: A certificate revoked in 2016 is still being used to sign malware in 2025, and Windows treats it as trustworthy.

The Ransomware Ecosystem Using HeartCrypt

Sophos's August 2024 analysisfirst documented how multiple threat groups share these tools. MagicSword has now identified at least seven major ransomware operations actively deploying HeartCrypt-packed EDR killers:

RansomHub- The most prolific user (active since June 2024)
BlackSuit- Consistent campaigns throughout 2024-2025
MedusaLocker- Used in SimpleHelp zero-day attacks (January 2025)
Qilin- Known for double extortion tactics
Dragonforce- New adopter as of Q3 2025
Crytox- Emerging ransomware family
INC/Lynx- Smaller operations testing the waters

This isn't one group's custom tool, it's a shared service proliferating across the ransomware ecosystem.

Real-World Impact: MedusaLocker + SimpleHelp

In January 2025, MedusaLocker operators exploited a zero-day vulnerability in SimpleHelp remote management software (CVE-2025-0282) to deploy HeartCrypt-packed EDR killers:

Attack timeline:

Exploitation → HeartCrypt loader deployed → Malicious driver loaded → EDR terminated → Ransomware executed → Data exfiltrated

Time from initial access to full compromise: Under 30 minutes

EDR alerts generated: Zero (the EDR was killed before ransomware deployed)

This is the new reality. Traditional defenses are blind to these attacks because they terminate security tools before doing anything obviously malicious.

How MagicSword Helps

Traditional hash-based blocking doesn't work against HeartCrypt's polymorphic variants. New hashes are generated constantly. By the time a generic threat feed includes a HeartCrypt hash, attackers have already moved to a new variant.

MagicSword takes a different approach:

Real-Time EDR Killer Feed

We actively monitor the HeartCrypt campaign and provide intelligence that blocks threats before they reach your environment:

Certificate-Based Blocking

Block all 89+ variants using the Changsha Hengxiang certificate
Stop future variants before they're even created
Identify emerging certificate compromises before widespread abuse

Campaign Tracking

Monitor which ransomware groups are deploying HeartCrypt
Track new driver signatures as they appear on VirusTotal
Understand geographic distribution and targeting patterns

Behavioral Indicators

Driver dropping patterns and installation techniques
Process termination sequences targeting specific security products
Packer evolution as HeartCrypt adapts to new detections

Integration-Ready Intelligence

Our EDR Killer Feed integrates with your existing security infrastructure:

Compatible with major SIEM platforms
Direct feeds for EDR/XDR solutions
API access for automated blocking
Application control policy templates

Analyst-Verified, Not Automated Noise

Every indicator manually reviewed by our research team
Context provided for each threat (which groups, which campaigns, attack vectors)
False positive rate under 0.1%

The Bottom Line

HeartCrypt has changed the ransomware landscape by making EDR evasion accessible to virtually any criminal group with a budget. The 89+ malicious driver variants we've identified represent just what's visible on VirusTotal. The actual number in the wild is certainly higher.

MagicSword is actively monitoring the HeartCrypt campaign. Our EDR Killer Feed provides the real-time intelligence your security team needs to stay ahead of these threats. We track new variants, emerging certificates, and ransomware group adoption patterns so you don't have to.

The question isn't whether your organization will encounter a HeartCrypt-packed EDR killer, it's whether you'll detect and block it when you do.

Protect Your Organization

Learn more about MagicSword's EDR Killer Feed: https://bit.ly/3WAhUfx

Key Indicators of Compromise

High-Priority Certificate Blocks

Certificate 1: Changsha Hengxiang

SHA1 Thumbprint:7749BE16F266669D505684E9F002C689706C4295
SHA256 Thumbprint:B9D4FC7948501E476C5E5EC76B8712DF2F7AD4543AEA008AC3C1782771E340D6
Revocation Date:2016
Current Threat Level:Critical (89+ active variants)

Certificate 2: Fuzhou Dingxin

Subject:Fuzhou Dingxin Trade Co., Ltd.
Status:Expired since 2012
Current Activity:Actively signing malware in 2025

Sample File Hashes

HeartCrypt Variant 1: Beyond Compare Injection

SHA256:48e6e071b70566bc9fabbbff995946076b410f5459356b65051ae10e04fe512f
Filename:BCClipboard.exe
Targets:CrowdStrike, Sophos, SentinelOne, and 11 other security vendors

HeartCrypt Variant 2: Fake CrowdStrike Driver

SHA256:06eccd102c9105957773b32538943531d9c39d0a504ceb3b9b155e97e3b0b134
Filename:CSAgent.sys
Impersonates:CrowdStrike Falcon Sensor

HeartCrypt Variant 3: MedusaLocker Campaign

SHA256:43cd3f8675e25816619f77b047ea5205b6491137c5b77cce058533a07bdc9f98
Filename:6Vwq.exe
Attack Vector:SimpleHelp RCE (CVE-2025-0282)

Driver Names to Monitor

CSAgent.sys - Fake CrowdStrike driver (most common)
mraml.sys, smuol.sys, cyvrlpc.sys - Known variants
[5-random-characters].sys - Randomized naming pattern

Additional Resources

Primary Research:

Related Vulnerabilities:

SimpleHelp CVE-2025-0282 Details

HeartCrypt: The Packer Service That's Helping Ransomware Groups Kill Your EDR