A malicious Windows packer known as pkr_mtsi has been identified as a flexible malware loader used in large-scale malvertising and SEO-poisoning campaigns, according to new research.
First observed in the wild by ReversingLabs (RL) on April 24 2025, the tool has remained active through the time of writing. It is primarily used to distribute trojanized installers masquerading as legitimate software.
The packer plays a key role in initial access operations. Rather than delivering a single malware family, pkr_mtsi has been used to deploy a wide range of follow-on payloads, including Oyster, Vidar, Vanguard Stealer and Supper.
In their advisory published on Tuesday, RL said pkr_mtsi is typically disguised as installers for well-known utilities such as PuTTY, Rufus and Microsoft Teams.
The researchers stress that these infections do not stem from compromised vendors. Instead, victims are lured through fake download sites that gain visibility via paid search ads and manipulated search rankings.
Common antivirus detections often reference terms such as “oyster” or “shellcoderunner,” reflecting overlaps with delivered payloads. Existing public detection rules, however, only identify a subset of samples, prompting RL to release a broader YARA rule that covers all known variants.
Over the past eight months, pkr_mtsi has steadily evolved. Later versions have introduced heavier obfuscation, hashed API resolution and anti-analysis techniques, while retaining a consistent execution model.
Early-stage behavior reliably begins with memory allocation, followed by reconstruction of the next-stage payload through numerous small memory writes.
Key characteristics highlighted in the research include:
-
Use of modified UPX-packed intermediate stages
-
Obfuscated calls to ZwAllocateVirtualMemory in newer builds
-
Junk GDI API calls intended to disrupt analysis
-
Anti-debugging checks that can force process termination or infinite loops
Read more on malware loaders and initial access techniques: CoffeeLoader Malware Loader Linked to SmokeLoader Operations
Despite its ongoing changes, the packer’s structure offers durable detection opportunities. A notable programming flaw involves repeated calls to NtProtectVirtualMemory with invalid protection flags, generating predictable errors that can be monitored in endpoint telemetry.
DLL variants add further complexity by supporting execution via trusted Windows utilities such as regsvr32.exe and enabling persistence via registry-based COM registration.
“For DFIR practitioners, understanding the packer’s staged architecture, modified UPX intermediary, and alternate execution paths, especially DLL-based execution via regsvr32.exe, enables faster triage, more reliable unpacking and clearer separation of packer behavior from payload functionality,” the RL team wrote.
“Together, the techniques and detection logic presented in this report allow defenders to disrupt pkr_mtsi intrusion chains earlier in the attack lifecycle and investigate active incidents more efficiently and confidently.”
