CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

pkr_mtsi Malware Loader Distributes Diverse Payloads via Malvertising and SEO Poisoning

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A versatile Windows packer named pkr_mtsi has been identified as a malware loader used in large-scale malvertising and SEO-poisoning campaigns. First observed on April 24, 2025, it delivers various payloads including Oyster, Vidar, Vanguard Stealer, and Supper. The loader disguises itself as legitimate software installers and leverages fake download sites for distribution. The malware has evolved over the past eight months, incorporating heavier obfuscation, hashed API resolution, and anti-analysis techniques. Despite these changes, its structure provides durable detection opportunities, including predictable errors from invalid protection flags. ReversingLabs (RL) has released a YARA rule to detect all known variants, highlighting the packer's staged architecture and alternate execution paths for DFIR practitioners.

Timeline

  1. 07.01.2026 18:45 1 articles · 23h ago

    pkr_mtsi Malware Loader Evolves with Enhanced Obfuscation and Anti-Analysis Techniques

    Over the past eight months, pkr_mtsi has steadily evolved, incorporating heavier obfuscation, hashed API resolution, and anti-analysis techniques. Despite these changes, its structure offers durable detection opportunities, including predictable errors from invalid protection flags. RL has released a YARA rule to detect all known variants, and the packer's staged architecture and alternate execution paths are highlighted for DFIR practitioners.

    Show sources
    Open in new tab

Information Snippets