pkr_mtsi

pkr_mtsi is a Windows packer and loader first detected on 2025-04-24 and used in large-scale malvertising and SEO-poisoning campaigns. It is distributed via fake download sites impersonating legitimate software sources and delivers trojanized installers for software including PuTTY, Rufus, and Microsoft Teams. The activity described is not a supply-chain compromise, but rather the use of imitation websites to obtain initial access and stage follow-on malware. pkr_mtsi functions as a general-purpose loader rather than a single-payload wrapper. Reported payloads delivered through it include Oyster, Vidar Stealer, Vanguard Stealer, and Supper. It has been observed in both executable and DLL forms. DLL variants can trigger unpacking on load and support persistence or execution via regsvr32.exe and COM registration.

Over time, pkr_mtsi has incorporated increasingly sophisticated obfuscation and anti-analysis techniques. Early variants used direct VirtualAlloc calls, while newer samples use obfuscated ZwAllocateVirtualMemory calls. Payloads are reconstructed in memory from small chunks, sometimes decoded before being written to memory. API and DLL resolution evolved from plaintext references to hashed identifiers with PEB traversal. The packer also uses junk GDI API calls to hinder static and behavioral analysis. Intermediate payloads are packed with a modified UPX module with identifying headers and metadata stripped to impede analysis and detection.

Detection is possible through structural and behavioral characteristics, but coverage is inconsistent across security products. Some antivirus detections reportedly include substrings such as "oyster" or "shellcoderunner." ReversingLabs researchers are specifically noted as tracking and analyzing the malware’s evolution.