The new.NET malware packer “DTPacker,” used for distributing various remote access trojans (RATs) and infostealers, has a set password named after Donald Trump. Proofpoint researchers found DTPacker in 2020 and have seen it deployed by various threat actors in campaigns targeting hundreds of thousands of end-users with thousands of malicious messages across multiple industries.
The researchers discovered that one significant effort, which lasted weeks, exploited phony Liverpool Football Club (LFC) sites to get visitors to download DTPacker, eventually delivered Agent Tesla. As per a Monday report, DTPacker has also disseminated Ave Maria, AsyncRAT, and FormBook.
According to the Proofpoint team that found it, the malware is significant since it delivers both embedded payloads (the packer) and those acquired through a command-and-control server (a downloader). The second stage comprises a decoding password that refers to the past president in all DTPacker instances.
“The main difference between a packer and a downloader is the location of the payload data, which is embedded in the former and downloaded in the latter,” the analysts commented. “DTPacker uses both forms, it is unusual for a piece of malware to be both a packer and a downloader.”
According to the report, Proofpoint discovered numerous decoding techniques and two Donald Trump-themed fixed keys, earning the moniker’ DTPacker.’ The company revealed that the previous DTPacker version used “trump2020,” but since August, a version using “Trump2026” has appeared. The DTPacker malware, according to the researchers, will continue to be employed by threat actors and exchanged on underground forums.
The analysts said that it is unclear why the malware programmer explicitly mentioned Donald Trump in its patched passwords. The malware isn’t designed to target politicians or political groups and would be invisible to the intended victims. Proofpoint measures that multiple threat actors will continue to employ this malware.