CypherIT
CypherIT is a malicious commodity packer/crypter used to obfuscate and distribute other malware, including information stealers and remote access tools. The provided reporting explicitly notes CypherIT being used to pack threats such as Rhadamanthys, including in a paste-and-run campaign observed in October 2025. CypherIT is also discussed in relation to Asgard Protector: multiple antivirus products reportedly misclassified Asgard Protector samples as CypherIT, and researchers noted that CypherIT and Asgard Protector are similar in functionality, potentially suggesting a link between the two crypters, although the relationship is not confirmed in the content. High-confidence behavioral detail in the content is limited for CypherIT itself; the main supported characterization is that it serves as a commodity malware packer used to conceal payloads from security tools and facilitate delivery of downstream malware families such as infostealers and RATs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious packer used to obfuscate and distribute various malware, including stealers and RATs. Recently used to pack Rhadamanthys.
A crypter referenced for comparison; AV providers reportedly misidentified some Asgard Protector samples as CypherIT due to functional similarities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.