A previously undocumented malware packer named DTPacker has been noticed distributing numerous remote entry trojans (RATs) and details stealers such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook to plunder details and facilitate comply with-on attacks.
“The malware employs a number of obfuscation strategies to evade antivirus, sandboxing, and examination,” enterprise security company Proofpoint explained in an evaluation printed Monday. “It is likely dispersed on underground community forums.”

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The .NET-primarily based commodity malware has been associated with dozens of campaigns and many danger teams, both sophisticated persistent threat (APT) and cybercrime actors, considering the fact that 2020, with the intrusions aimed at hundreds of consumers across quite a few sectors.
Attack chains involving the packer depend on phishing e-mail as an first an infection vector. The messages incorporate a destructive document or a compressed executable attachment, which, when opened, deploys the packer to launch the malware.
Packers vary from downloaders in that contrary to the latter, they carry an obfuscated payload to hide their real behavior from security options in a method that acts as an “armor to secure the binary” and make reverse engineering extra tricky.
What can make DTPacker different is that it functions as the two. Its name is derived from the point that it utilized two Donald Trump-themed fixed keys — “trump2020” and “Trump2026” — to decode the embedded or downloaded source that ultimately extracts and executes the closing payload.
It really is now not recognized why the authors chose this certain reference to the previous U.S. president as the malware is neither made use of to focus on politicians or political companies nor are the keys found by the focused victims.
Proofpoint said it observed the operators making subtle adjustments by switching to utilizing soccer fan club sites as decoys to host the malware from March 2021, with the packer used by teams like TA2536 and TA2715 in their very own campaigns a 12 months prior to that.
“DTPacker’s use as each a packer and downloader and its variation in shipping and obfuscation whilst preserving two these types of special keys as component of its decoding is very uncommon,” reported the researchers, who assume the malware to be employed by several menace actors for the foreseeable potential.
Uncovered this report intriguing? Stick to THN on Fb, Twitter and LinkedIn to examine much more exclusive information we post.
Some elements of this report are sourced from:
thehackernews.com