|Category: Malware Intelligence||Industry: Underground||Motivation: Financial||Region: Global||Source*: B2|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising AV’s NIGHTMARE, a private crypting service that offers strong protection and obfuscation.
- The service offered can encrypt any tool (stealer, rat, botnet, etc) making it go undetectable by antivirus or reverse engineering.
- The following information has been shared about the service:
- The tool is almost undetectable as it can bypass almost all antivirus.
- It stays hidden from reverse engineering.
- The service can work with any RAT, stealers, malicious files, botnets, etc.
- Its main goal is to bypass windows defender.
- The product that is used to encrypt the tool is coded in C++.
- The services range from USD 30 to USD 160, based on the type of package and features.
- Private and dedicated powerful encryption methods for every customer.
- Advanced technology of injection having .NET/Native payloads.
- Compatible with both .NET and Native files.
- Hidden startup and persistence installation.
- Private dedicated stub.
- Fully dedicated support.
- Long FUD.
- The threat actor was previously very active on another famous cybercrime forum.
- The post’s credibility is assured in a thread posted by another threat actor who was a buyer of these services.
- The actor also mentioned having over 50 satisfied customers with no complaints.
- The threat actor shared a video sample demonstrating the workflow of a crypter executable.
- The video demonstrated the actor monitoring a victim’s device via remote desktop in live mode.
- The crypter executable file got 0 detections from over 20 antivirus scans.
|Threat Actor Profiling|
|Active since||August 2022|
|Reputation||High (No complaints or concerns against the actor)|
|History||Previously seen dealing with crypts for miner UAC bypass and Windows Defender exclusions.|
|Point of Contact||
|Rating||B2 (B: Usually Reliable; 2: Probably True)|