{
	"id": "2484c00a-3d7c-4aaf-b620-1c5d0143d2f9",
	"created_at": "2026-04-06T00:22:17.053607Z",
	"updated_at": "2026-04-10T13:12:17.259707Z",
	"deleted_at": null,
	"sha1_hash": "124b8f02298badf5051e27391dc336301e8e1321",
	"title": "Bifrost Burned: Dissecting Asgard Protector’s Defenses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 166203,
	"plain_text": "Bifrost Burned: Dissecting Asgard Protector’s Defenses\r\nBy James\r\nPublished: 2025-10-01 · Archived: 2026-04-05 17:09:03 UTC\r\nSpyCloud Labs analysts have been busy reversing Asgard Protector, one of the crypters recommended by the\r\nsellers of LummaC2. At the time of writing this publication, LummaC2 is the most prominent commodity\r\ninfostealer available.\r\nCrypters are tools used by cybercriminals that allow them to hide malicious payloads in seemingly nonmalicious\r\nwrappers or “packed” samples, allowing them to easily bypass antivirus (AV) software and other protections.\r\nAsgard Protector leverages Nullsoft package installations, hidden AutoIt binaries, and compiled AutoIt scripts in\r\norder to inject encrypted payloads into memory, which are decrypted in memory and executed.\r\nAll told, the combination of LummaC2 and Asgard Protector represents a potent union for evading detection and\r\nstealing data from devices and networks.\r\nAsgard Protector advertises itself as an AUTOcrypt service, meaning that stubs are generated automatically for\r\nmalware submitted to its crypting service (a Telegram bot). We have observed advertisements for Asgard Protector\r\non XSS dating back to at least 2023. As we can see from these advertisements, (see Image 1 below), the Telegram\r\nbot also allows for a wide variety  of customizable options to be added to the crypt such as:\r\nhttps://spycloud.com/blog/asgard-protector-crypter-analysis/\r\nPage 1 of 4\n\nImage 1: Screenshots of the Asgard Protector ad, which appeared on XSS.\r\nInstallation\r\nAsgard Protector crypted binaries arrive on systems as Nullsoft Installation Binaries, which are essentially self-extracting RAR files with installation scripts that run once the contents are extracted.\r\nFor Asgard Protector, the Nullsoft binary simply extracts all files into %temp%, before locating the .bat file that it\r\nuses for its installation routine, and then executing it. As observed in Image 2, Asgard Protector leverages\r\nmismatched file extensions in order to better hide. The .bat file it looks for is the ASCII text file, or in this sample,\r\nBelgium.pst.\r\nImage 2: File listing of an Asgard Protector Nullsoft installation binary.\r\nAs observed in Image 3, the .bat file used by Asgard Protector for installation is fairly obfuscated, making reading\r\nand understanding it challenging.\r\nThe obfuscated .bat file used by Asgard Protector for installation.\r\nHowever, analysts at SpyCloud have developed in-house tooling to help deobfuscate these scripts, making them\r\nmuch easier to read and understand. A deobfuscated version of the same script that appears above can be observed\r\nin Image 4 below.\r\nThe deobfuscated .bat file used by Asgard Protector.\r\nThe batch script has some basic AV checking that it conducts in order to determine if it’s a safe environment for\r\nthe malware to run (i.e.: a vulnerable endpoint). This behavior is present in all samples of Asgard Protector that\r\nwe have analyzed as of the date of publication.\r\nOne interesting technique used by the script is the piecemeal assembly of an autoit.exe binary, using the files\r\ncontained in the .cab file, as observed in Image 2, as well as a hardcoded MZ, which is tacked on by the script. \r\nWhat’s unique is that in order to find the PE header, findstr is used to find a file offset in one of the embedded\r\nfiles, and then everything is copied over past that offset. This file can partially be observed in Image 5, below.\r\nImage 5: The partial AutoIt binary used by Asgard Protector.\r\nAdditionally, the script assembles a compiled AutoIt script file using the remaining .pst files (listed as “data” files\r\nin Image 2), which is then executed by the assembled AutoIt binary. It should be noted that unique crypts using\r\nAsgard Protector result in different file extensions for the malware to masquerade as, however, the runthrough is\r\nalways the same.\r\nAutoIt script\r\nAt this point in the infection process, the compiled AutoIt script file is executed by the rebuilt AutoIt binary. This\r\nscript file handles the extra customizable behavior of the crypter, such as the autorun functionality or the IP logger.\r\nUsing tools like autoit-ripper, SpyCloud Labs analysts were able to decompile the AutoIt script file to get the raw\r\nscript source file, as observed in Image 6.\r\nhttps://spycloud.com/blog/asgard-protector-crypter-analysis/\r\nPage 2 of 4\n\nImage 6: The obfuscated AutoIt script used by Asgard Protector for malware install\r\nThe decompiled script file is horrendously obfuscated, using both a basic state machine and string hiding in order\r\nto mask the true functionality of the script. Luckily, using more in-house developed tooling, we were able to\r\ndeobfuscate the AutoIt scripts as well, as observed in Image 7.\r\nImage 7: The deobfuscated version of Asgard Protector’s AutoIt install script\r\nThis script handles all of the additional features of Asgard Protector, in addition to the actual injection of the\r\nmalware binary into memory. Asgard Protector normally injects the malware payload into explorer.exe, which\r\nhelps the malware to evade detections. The malware sits encrypted in the AutoIt script and is decrypted in memory\r\nusing RC4.  Additionally, the AutoIt script decompresses the malware binary once it is in memory, using\r\nRTLDecompressFragment and the LZNT1 compression algorithm.\r\nA particularly interesting feature of Asgard Protector is its sandbox detection process, which uses pings to\r\ndomains that should not provide a response. This can be observed in Image 7 with a ping to a randomly generated\r\ndomain that should return null. If this ping receives a response however, Asgard Protector will immediately exit,\r\nas it knows that it is running in an environment that is blocking outbound connection attempts and mimicking\r\nnetwork traffic.\r\nPivoting off of Asgard Protector crypted binaries in Virustotal, SpyCloud Labs analysts discovered over 1,200\r\nsamples, which helped to determine the most commonly crypted malware families. We then worked to identify a\r\nsmall subset of the samples found in order to determine usage statistics. \r\nAs can be observed in Chart A, LummaC2 accounted for over 69% of the more than 200 samples that we\r\nidentified as having been crypted using Asgard Protector. Interestingly, Rhadamanthys was the next highest\r\nfamily, coming in at just over 11%.\r\nChart A: Asgard Protector usage breakdown\r\nWe also observed a fairly low percentage of unidentified malware, with only four of the total identified samples\r\nconsisting of malware that SpyCloud analysts could not immediately identify as a named family.\r\nAdditionally, while identifying malware for this crypter, we noticed that many AV providers automatically\r\nidentified this crypter as CypherIT, despite it not in fact being CypherIT. Looking at past analyses of CypherIT, we\r\nnote that CypherIT and Asgard Protector are similar in functionality, potentially suggesting a link between these\r\ntwo crypters.\r\nAs mentioned previously in this analysis, Asgard Protector drops all of its files into %temp% before running the\r\ndropped .bat file via the Nullsoft installation binary, and then installing the malware. However, that behavior by\r\nitself may not be anomalous enough for defenders to properly locate the malware, as many nonmalicious\r\nexecutables write to %temp% often.\r\nInstead, defenders should look at the commands Asgard Protector runs during the .bat file execution, as those are\r\nmore anomalous and can be used to identify malicious behavior. Some commands to look out for are:\r\nhttps://spycloud.com/blog/asgard-protector-crypter-analysis/\r\nPage 3 of 4\n\nAsgard Protector is a malware crypter recommended by the sellers of LummaC2. In the crypted malware samples\r\nwe analyzed:\r\nOther interesting findings from our analysis include:\r\nSource: https://spycloud.com/blog/asgard-protector-crypter-analysis/\r\nhttps://spycloud.com/blog/asgard-protector-crypter-analysis/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://spycloud.com/blog/asgard-protector-crypter-analysis/"
	],
	"report_names": [
		"asgard-protector-crypter-analysis"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434937,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/124b8f02298badf5051e27391dc336301e8e1321.pdf",
		"text": "https://archive.orkl.eu/124b8f02298badf5051e27391dc336301e8e1321.txt",
		"img": "https://archive.orkl.eu/124b8f02298badf5051e27391dc336301e8e1321.jpg"
	}
}