Authors: Klimentiy Galkin, Junior Threat Intelligence Specialist, Positive Technologies Expert Security Center

This article is for informational purposes only and does not encourage or condone illegal activities. Our goal is to report on an existing tool used by cybercriminals to generate malicious attack chains aimed at breaching organizations and to warn about the widespread use of such tools globally.

• In a study on the PhaseShifters group published in November 2024, we covered attacks on Russian companies. Some of the malicious loaders in these attacks were generated using the Crypters And Tools service.
• The article describes the internal structure and infrastructure of Crypters And Tools.
• The research revealed that at least three groups use this service (PhaseShifters, Blind Eagle, TA558).
• Our observations indicate that the crypter is used exclusively for criminal purposes, and its functionality confirms this.

• Crypter as a Service (CaaS) is a subscription-based service that allows users to encrypt, pack, or obfuscate files (not necessarily malicious ones).
• PhaseShifters (Sticky Werewolf, UAC-0050, Angry Likho) is a hacker group engaged in espionage, targeting organizations in Russia, Belarus, and Polish government institutions.
• TA558 was initially described by Proofpoint as a financially motivated cybercriminal group targeting hospitality and tourism businesses, primarily in Latin America. The group has also targeted North America and Western Europe and been active since at least 2018. In 2024, we observed the group attacking companies around the world.
• Blind Eagle (APT-C-36) is an APT group, believed to originate from South America, that has been continuously targeting government institutions in Colombia and Latin America since April 2018, along with major corporations in finance, oil, and other industries. Their initial attack vector is usually phishing emails with attachments (often password-protected archives) containing malware like Remcos or QuasarRAT. In 2023–2024, they were also observed targeting other countries, including the US.

Following the publication of an article on the PhaseShifters hacker group, which attacked Russian companies and government agencies, specialists from the Threat Intelligence department at Positive Technologies Expert Security Center continued to research the infrastructure and services used by these cybercriminals. After some investigation, we discovered an open directory containing a copy (private application) of the subscription-based crypter, Crypters And Tools. Through careful examination, we were able to expand the activity cluster associated with this CaaS, identify new infrastructure nodes, and understand how the crypter works. Expanding the cluster revealed that multiple groups are using the tool. Some of them were already mentioned in the PhaseShifters article: TA558 and Blind Eagle.

This study will be published in two parts. The first part covers the crypter's internal structure and infrastructure. The second part covers the groups that have ever used this service, as well as other connections between them.

Crypters And Tools was first mentioned in September 2023 on a dark web forum. However, evidence suggests that the service existed earlier under a different name and sometimes had broader functionality. For example, the first messages in the service's Telegram channel date back to July 22, 2022.

Thus, we could identify the previous names of Crypters and Tools.

The interface of Crypters And Tools has changed multiple times.

Besides interface changes, the supported formats for generated files have expanded from VBS and BAT to PDF, DOC, DOCX, and others.

Let's assume a user has a subscription to the service. Below is the process flow.

As seen in Figures 4.4 and 6, the crypter interface contains a URL — BASE64 field. Here, the user specifies a link to generate their malware loader. This link should download a text document containing a reversed Base64 string with the bytes of the executable malware file. The user can store these documents on any service, including their own repositories.

Regardless of the loader's format, the malware loading and execution process is the same.

Below is an example of a VBS loader.

The called PowerShell script stores a Base64 string in a variable (typically named $codigo, $sodigo, or $dosigo). By decoding it, we obtain the following PowerShell script.

The decoded script contains a link to download an image. After downloading, the image is scanned for a sequence in the format: <<BASE64_START>>BASE64_ENCODE(Ande Loader)<<BASE64_END>> (a byte example is shown in Figure 10). The script calls a method from the decoded Ande Loader executable file.

Ande Loader then downloads the malware payload from the link provided by the crypter user, decodes it, and injects it into a legitimate Windows process. In addition, it establishes persistence in the system.

Ande Loader is a C#-based malware loader named after its Ande3 method in the source code. It has been used by groups like Blind Eagle, PhantomControl, and PhaseShifters, who distribute it in an encoded form inside images. Functionally, there is nothing particularly unique about Ande Loader—similar programs in C# can be found on GitHub (Fig. 12).

Several PDB paths extracted from analyzed loader files (examples in Figure 13) suggest that Crypters And Tools developers actively maintain Ande Loader.

We analyzed the November 2024 version of Crypters And Tools. The application is packed with Themida, written in C#, and uses additional libraries. Unpacking it reveals the following class structure.

The FrmLogin and FrmRegister classes handle user authentication and registration in the crypter. Inside these classes, a Firebase client is initialized to retrieve user data from storage. Licenses are tied to the user's HardwareID.

The FrmMain class contains the main logic of the application:

• Selecting the loader to be generated (visible in the side menu, see Figure 17).
• Configuring parameters (loader type, persistence method, number of lines in the obfuscated script, and others).
• Selecting a legitimate process into which the malware will be injected (Process Injection field). The set of processes available for injection is pre-defined and limited (listed below).

• Generating a file based on user-selected parameters.

• While studying the Crypters And Tools application, we learned the following about its infrastructure:
• To store data required for registration and login, a Firebase real-time database (RTDB) is used:
  • Database link: https://onyx-zodiac-376415-default-rtdb.firebaseio.com
  • Database name: Database
• A private server controlled by Crypters And Tools is used to store payloads for users who most likely purchased a private subscription version. By default, IP address 91.92.254.14 is used, and files can be accessed via links formatted as /Users_Api/<username>/<filename>.
• An open directory is used to update the application. At the time of writing, the binary file references the IP address 158.69.36.15 of an XAMMP server. The version number file is located at: http://158.69.36.15/Upload/version.txt.
• Images containing Ande Loader and other scripts can be found at:
  • http://servidorwindows.ddns.com.br/Files/js.jpeg
  • https://1017.filemail.com/api/file/get?filekey=<token_1>
  • http://servidorwindows.ddns.com.br/Files/vbs.jpeg
  • https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/js_rmp.txt
  • https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/vb_rmp.txt
• The application's creators manage the website cryptersandtools.com and the Telegram channel CryptersAndTools.

Notable features of the infrastructure include:

• Domains often contain substrings with the service name or author name (for example, cryptersandtools, nodetecton).
• Initially, the infrastructure likely consisted of home computers and servers: most IP addresses were within the same autonomous system and region—ALGAR TELECOM SA in São Paulo or Minas Gerais. Later, the service owners switched to using hosting providers, including foreign ones.
• Most domains use Let's Encrypt certificates with the subject name set to localhost. However, for some domains, the following certificate exists: Subject: CN=localhost C=BR OU=EG O=TAG ST=Some-State.
• XAMMP servers, which may contain both user files and the application itself, typically follow the same structure:
  • Standard directory: /dashboard
  • Upload directory: Upload/
  • Files directory: Files/
• The private server for storing files uses the same path format in links: /Users_Api/<username>/.
• The IP addresses of the crypter's infrastructure host images containing Ande Loader.

The infrastructure investigation also involved searching for additional indicators through social media platforms used to promote the service. For example, one of the service developers is a user named NoDetectOn. This information helped us uncover additional network indicators. We conducted searches on YouTube channels and Telegram, analyzing over 130 media files—including videos, screenshots, and others—uploaded by the service owner to showcase the crypter's functionality. From this material, several observations can be made. Firstly, during demonstrations of the app, the video author, despite using virtual machines and RDP connections, still displayed their external IP address in the interface of the malware (such as Remcos or XWorm).

Secondly, many videos featured the tool Process Hacker, which displays a list of active processes. Occasionally, the list revealed an active XAMMP server operating within the same infrastructure. This is supported by the fact that domains used by open directory servers correspond to IP addresses of the same provider, previously detected in the malware graphic interface.

By analyzing videos in the crypter's group, we can determine the country of origin. Thus, variable names in the source code and method names are in Portuguese. Additionally, the author's email inbox in videos contains mostly Portuguese messages. A clearly visible email shows a 1009 BRL withdrawal from Binance (BRL = Brazilian real), and mentions CPF, Brazil's taxpayer identification number.

A significant number of malicious files were uploaded from public sources in the US, Germany, and China. This is likely due to users employing VPNs when distributing malware. We have observed attacks using Crypters And Tools targeting the US, Eastern Europe (including Russia), and Latin America. For example, in 2023–2024, Blind Eagle attacks, which used similar malware and obfuscation techniques, primarily targeted US organizations. 

The distribution of malicious files closely correlates with attack statistics we identified when studying the TA558 group. Specifically, Argentina, Brazil, Colombia, Mexico, Romania, and Chile are among the most targeted countries.

Attackers can simplify the process of organizing the initial stage of an attack by subscribing to a crypter that bypasses security solutions. Researching the internal mechanisms of tools like Crypters And Tools, as well as their network infrastructure, can be useful for studying attacks and identifying connections between APT groups.

Given our colleagues' recent analysis of the cybercrime market, it can be said that tools like Crypters And Tools and malware of various types will continue to gain popularity within the hacker community. This will lead to an increase in the number of malicious files and, consequently, a rise in successful attacks in regions with weaker cybersecurity defenses. The cost of malware on shadow forums suggests that the costs of a sophisticated attack are significantly lower than the potential profits from selling confidential information or extortion. 

We will continue to monitor the use of this tool and pay attention to new services offering similar functionalities. Read the second part of our research to learn which groups worked with Crypters And Tools and what other similarities they share.