Malware

Vanguard Stealer

Vanguard Stealer is a malware family observed being delivered by the pkr_mtsi Windows packer. The provided content identifies it as one of several payloads distributed in widespread malvertising and SEO-poisoning campaigns that use fake download sites and trojanized installers for popular software including PuTTY, Rufus, and Microsoft Teams. In this activity, pkr_mtsi functions as a general-purpose loader rather than a single-payload wrapper, and has been distributed as both executables and DLLs. DLL variants can support persistent execution via regsvr32.exe and COM registration. The campaigns and loader infrastructure associated with Vanguard Stealer employ advanced obfuscation and anti-analysis techniques, including obfuscated memory allocation, hashed API resolution, payload reconstruction in memory, junk GDI API calls, and intermediate payloads packed with a modified UPX module stripped of identifying metadata. The content does not provide additional high-confidence details on Vanguard Stealer’s internal capabilities, specific targeted industries, threat actor attribution, or standalone indicators of compromise beyond its delivery via pkr_mtsi in malvertising/SEO-poisoning campaigns.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Jan 8, 2026

ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories

Vanguard Stealer is an information-stealing malware delivered via the pkr_mtsi packer; specific details are not provided in the content.

cyber security newsNews

Jan 7, 2026

Windows Packer pkr_mtsi Powers Widespread Malvertising Campaigns Delivering Multiple Malware Families

An information stealer malware family delivered by the pkr_mtsi packer.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.