Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Pkr_mtsi Windows loader delivers multiple payloads

Malware Activity
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

pkr_mtsi is a Windows loader now being used to push trojanized installers through malvertising and SEO poisoning, increasing initial-access risk for Windows users. First seen on April 24, 2025 and still active, it has delivered Oyster, Vidar, Vanguard Stealer, and Supper. The loader commonly masquerades as PuTTY, Rufus, or Microsoft Teams, luring victims through fake download sites promoted by ads and manipulated search rankings. Its evolving tradecraft includes modified UPX stages, anti-analysis checks, and regsvr32.exe execution paths that make unpacking and detection harder.

Related Happenings

Beagle backdoor distributed via fake Claude site and DLL sideloading

Malware Activity
First: 07.05.2026 16:15 Last: 07.05.2026 16:15 Sources 1

About this happening: The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...

Open Happening

Microsoft Teams adds "Report a Call" for suspicious calls with phased rollout

Security Tool/Service
First: 29.01.2026 16:49 Last: 29.01.2026 16:49 Sources 1

About this happening: Microsoft is adding **"Report a Call"** to **Teams**, letting users flag **suspicious or unwanted calls** as potential **scams or phishing**. The feature is **enabled by default**...

Open Happening

Microsoft Teams rolls out Brand Impersonation Protection for external call warnings

Security Tool/Service
First: 22.01.2026 18:28 Last: 22.01.2026 18:28 Sources 1

About this happening: **Microsoft Teams** is adding **Brand Impersonation Protection** to warn users about suspicious **first-time external callers**, reducing social-engineering risk in call flows. Th...

Open Happening

Gootloader adopts malformed ZIP archives for stealthier delivery

Malware Activity
First: 16.01.2026 00:54 Last: 16.01.2026 00:54 Sources 1

About this happening: The **Gootloader** loader has adopted **malformed ZIP archives** that concatenate up to **1,000 archives**, making delivery stealthier and frustrating analysis tools. The payload...

Open Happening

ConsentFix browser-native OAuth consent phishing campaign

Campaign
First: 14.01.2026 17:01 Last: 14.01.2026 17:01 Sources 1

About this happening: The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...

Open Happening

Timeline

  1. 07.01.2026 18:45 1 articles · 4mo ago

    pkr_mtsi first observed in malvertising campaigns

    Initial Disclosure

    pkr_mtsi is first observed as a malicious Windows packer used in large-scale malvertising and SEO-poisoning campaigns to distribute trojanized installers that deliver Oyster, Vidar, Vanguard Stealer, and Supper.

    Show sources
    Open in new tab
  2. 07.01.2026 18:45 2 articles · 4mo ago

    pkr_mtsi analysis adds detection and execution details

    Technical Analysis Update

    Research updates pkr_mtsi tradecraft with heavier obfuscation, hashed API resolution, anti-analysis checks, modified UPX-packed intermediate stages, and DLL variants that execute through regsvr32.exe and registry-based COM registration; a broader YARA rule is released to detect known variants and monitor predictable NtProtectVirtualMemory errors.

    Show sources
    Open in new tab