The security researchers discovered the crypter sample while investigating cyberattacks on Russian companies and government institutions carried out by the PhaseShifters group

The threat intelligence team at the Positive Technologies Expert Security Center (PT ESC) has analyzed the crypter dubbed Crypters And Tools, which has been actively used by the cybercrime groups PhaseShifters, TA558, and Blind Eagle in their attacks against organizations worldwide. This tool, used by hackers to disguise malware, is distributed via subscription (crypter as a service, CaaS).

Positive Technologies first took notice of Crypters And Tools during an investigation into the PhaseShifters' attacks on Russian organizations in 2024. The hackers used this service to create droppers—special programs that secretly deliver malware to the victim's computer. Crypters can encrypt, pack, and obfuscate malicious files to disguise them and make them harder to analyze.

The threat intelligence team examined some social media accounts associated with the crypter and discovered that Crypters And Tools has been operating under various names since at least the summer of 2022. The experts concluded that the developer of the malicious tool is most likely based in Brazil. This hypothesis is supported by fragments of code in Portuguese, the author's instructional videos showing his IP addresses, emails about withdrawing Brazilian reals from a cryptocurrency exchange, and the mention of CPF (taxpayer ID in Brazil).

"With Crypters And Tools, attackers can carry out attacks more easily by hiding Ande Loader payloads in image files. Once delivered, Ande Loader is injected into legitimate Windows processes," says Klimentiy Galkin, Threat Intelligence Specialist at the Positive Technologies Expert Security Center. "This trend is part of a bigger picture: the cybercrime market is growing, and such tools are becoming more popular and accessible."

The geography of attacks using Crypters and Tools primarily includes countries in Eastern Europe, Latin America, Russia, and the United States. For example, similar obfuscation techniques and malware were used by the Blind Eagle group in its 2023–2024 campaigns targeting manufacturing facilities in North America. Since 2022, when Crypters and Tools was founded, Positive Technologies has identified nearly 3,000 files created with the help of this service.

To gain access to Crypters And Tools, a user must pay the subscription fee and log in to the control panel. Next, the hacker enters the URL address of a malicious file into a designated field and configures a number of parameters, such as the type of dropper, the persistence technique, the level of code obfuscation required, and which legitimate process to mimic to disguise malicious activity.

A study of the cybercrime market conducted by Positive Technologies also indicates that ready-made malware, such as Crypters And Tools, is becoming increasingly popular among cybercriminals. To mitigate these threats, organizations should use advanced network traffic analysis tools along with endpoint protection solutions and train their employees to recognize social engineering attacks.