A threat actor has been targeting government entities with the PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. Researchers at Menlo Security discovered that the threat actor used Discord to host the initial payload and compromised a non-profit organization to store additional hosts used in the campaign. The attack begins with an email that has a Discord app URL pointing to a PureCrypter sample in a password-protected ZIP archive. PureCrypter is a .NET-based malware downloader first seen in the wild in March 2021. Its operator rents it to other cybercriminals to distribute various types of malware. When executed, it delivers the next-stage payload from a command-and-control server, which is the compromised server of a non-profit organization in this case. The sample that the researchers at Menlo Security analyzed was AgentTesla. When launched, it establishes a connection to a Pakistan-based FTP server that is used to receive the stolen data. The researchers found that the threat actors used leaked credentials to take control of the particular FTP server rather than setting it up their own, to reduce identification risks and minimize their trace. Menlo Security believes that the threat actor behind the PureCrypter campaign is not a major one, but it is worth monitoring its activity due to targeting government entities. It is likely that the attacker will keep using compromised infrastructure for as long as possible before being forced to find new one.