{
	"id": "2785312b-42e7-4485-8e81-0d4fc1a3b533",
	"created_at": "2026-04-06T00:17:44.453078Z",
	"updated_at": "2026-04-10T03:23:52.357591Z",
	"deleted_at": null,
	"sha1_hash": "1ab77c8136fc9f91ad17d160d1be8ea28cb891a2",
	"title": "BitPaymer Ransomware Leveraging New Custom Packer Framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1017241,
	"plain_text": "BitPaymer Ransomware Leveraging New Custom Packer\r\nFramework\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 21:53:18 UTC\r\nMorphisec Labs recently investigated an ongoing BitPaymer ransomware campaign that has been attacking\r\ncompanies across the U.S., both public and private, over the last 3 months. We are aware of at least 15\r\norganizations targeted by the threat group during this latest campaign, spanning multiple industries, including\r\nfinance, agriculture and technology. Especially interesting is their targeting of a supply chain solution provider,\r\nwhich may be part of a deliberate propagation strategy.\r\nThe attacks all follow a similar pattern. Initial infiltration is usually obtained via phishing emails delivering\r\nDridex. Once attackers have a foothold in the system, they perform a full recon stage and steal AD credentials.\r\nThen, during the weekend (usually Saturdays), they deploy the ransomware onto the already compromised\r\nnetwork. This carefully planned timing allows them to propagate the ransomware to 24/7 running servers and then\r\nspread as the first employees returning to work from the weekend login to the compromised network.\r\nOur investigation revealed that, in many cases, organizations had advanced EDR solutions installed in place that\r\nthe ransomware was able to bypass. Learn more about how fileless malware bypasses EDR.\r\nUpon analysis of the ransomware and the loader that executes the payload, we identified several interesting\r\ncharacteristics of a new packer framework the attackers are using to obfuscate and compile a fully custom loader\r\non the day of the attack –  usually just 2-3 hours before the ransomware’s deployment. This makes it unlikely to be\r\ndetected by antivirus and EDR tools until it’s too late. The ransomware payload itself appears to be a variant\r\ncompiled 3-4 months ago, which is being reused by the loader wrapper in various campaigns, including the one\r\nthat knocked out Arizona Beverages earlier this year.\r\nThis BitPaymer ransomware variant also has an interesting, innovative approach to bypass Windows Defender\r\nEmulator, as shown in the Technical Analysis below. This technique was first introduced at the 2018 Black Hat\r\nconference by researcher Alexei Bulazel and we predict that more malware will start incorporating similar\r\napproaches.\r\nMorphisec prevents the execution of the ransomware and its propagation, including the initial vectors of Dridex\r\nand the backdoors used by the attackers that lead to this compromise.\r\nTechnical Analysis\r\nBitPaymer Loader\r\nThe loader is compiled and customized for the target and includes redundant instructions, logic and assignments.\r\nAfter analyzing differences between samples, we believe that a new advanced obfuscation framework has been\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 1 of 10\n\ndeveloped by the attackers, one which is highly effective at evading behavior and static analysis.\r\nExample of delusive function from two different BitPaymer packed samples. One of them with lots of junk code\r\nwhile the other is thinner. In both cases it just returns False.\r\nFigure\r\n1: Thinner function that returns False\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 2 of 10\n\nFigure 2: Same functionality as the function from Figure 1, wrapped with junk code\r\nBefore executing the function that decrypts the BitPaymer second stage payload, the loader performs OS version\r\nchecks. It will run on any OS later than Vista, with some exceptions, such as older versions of Windows Server\r\n(Servers are definitely the preferred target of the group).\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 3 of 10\n\nFigure 3: Deception OS version checks\r\nBitPaymer\r\nUpon loading, BitPaymer checks if the file “C:\\aaa_TouchMeNot_.txt” exists. If so, BitPaymer will terminate the\r\nexecution, as it is an indicator of a “goat file” in Windows Defender AV Emulator. This is an easy way to bypass\r\nWindows Defender Emulator as it always emulates the existence of the file.\r\nFigure 4: Check if running in Windows Defender Emulator\r\nNext, the malware initializes its configuration settings, such as process integrity level and decryption type. It also\r\ndecrypts all of its strings (ransom note, public key, file extension, etc.) using the RC4 algorithm with a 40 byte key\r\nthat resides in the beginning of ‘.rdata’ section.\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 4 of 10\n\nFigure 5: Set process\r\nintegrity level\r\nFigure 6: Marked is\r\nthe reversed RC4 key in .rdata section\r\nAfter the Windows Defender AV Emulator check and the initialization of BitPaymer configuration, BitPaymer\r\ntries to execute itself as a service. This will be described in more detail later.\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 5 of 10\n\nFigure 7: Unpacked\r\nBitPaymer entry point\r\nNext, BitPaymer checks if it is running as an alternate data stream. It does that by checking if the name of the file\r\non disk ends with ‘:’.\r\nFigure 8:\r\nCheck if running from alternate data stream\r\nIf not, it will copy itself to a hidden alternate data stream under %APPDATA%\u003crandom_name\u003e:BIN and create a\r\nnew process with the old file path as a parameter.\r\nThe BitPaymer alternate data stream process then performs the following:\r\n1. Deletes the original file\r\n2. Copies itself from :BIN alternate data stream to a hidden directory in %APPDATA%\u003crandom\u003e.exe.\r\n3. Creates a temporary ‘.cmd’ file in %temp% directory and writes the following (Figure 3)\r\nFigure 9: cmd file that will be executed from registry\r\nThe .cmd file is not deleted and so has the registry pointing to it (described in the next section)\r\nElevate Privileges\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 6 of 10\n\nIn order to elevate privileges, BitPaymer uses a technique introduced by @enigma0x3, which is Fileless UAC\r\nbypass. It changes the registry key – ‘HKCRmscfileshellopencommand’ default value to point at the ‘.cmd’ file\r\nwhich will cause BitPaymer to run with high privileges without a UAC prompt. If it does not succeed in elevating\r\nits privileges, BitPaymer will exit without encrypting the filesystem.\r\nThe abuse of eventvwr.exe  and similar types of registry hijack elevation techniques are a serious architecture\r\nweakness and are very popular among malware. It is also easy to tweak the technique to bypass any existing\r\ndetection solution.\r\nFigure 10: compromised Registry key\r\nWhen running with high privileges, BitPaymer deletes shadow copy files from the host. It does this by running the\r\ncommand ‘vssadmin.exe Delete Shadows /All /Quiet’ and ‘diskshadow.exe /s %TEMP%\u003ctempfile\u003e.tmp’\r\n(\u003ctempfile\u003e.tmp = “delete shadows allrnexitrn”) for Windows Server versions.\r\nNext, it tries to take ownership of a random service by using ‘takeown.exe /F \u003cservice_name\u003e’ and ‘icacls.exe\r\n\u003cservice_name\u003e /reset’. If it succeeds, it saves a copy of the service in ‘:0’ alternate data stream for restoration\r\npurposes. It then replaces the service with a copy of its own and executes BitPaymer as a service.\r\nAfter successfully hijacking and running from a service, BitPaymer begins to encrypt the filesystem. First  it does\r\niterates logical drivers, including network drivers, by mapping the network using the commands ‘arp.exe -a’ and\r\nrespectively ‘nslookup.exe \u003cIP\u003e’. After gathering all applicable drivers, it recursively iterates each file in each\r\ndriver. From each driver, it collects all the files that are not: ‘.exe’, ‘.dll’, ‘.\u003ccompany_name\u003e’, ‘.\r\n\u003ccompany_name\u003e_readme’.\r\nBitPaymer adds its file extension to the encrypted files – ‘.\u003ccompany_name\u003e’, alongside a ransom note with the\r\nsame file name and – ‘.\u003ccompany_name\u003e_readme’ extension.\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 7 of 10\n\nFigure 11: Ransom note\r\nConclusion\r\nThe threat group behind BitPaymer has successfully hit numerous targets and shows no sign of slowing down. The\r\nCustomer Packer framework it is now using allows it to create what are essentially new variants hours before the\r\nransomware is deployed, which are extremely difficult for detection-dependent security systems to catch.\r\nMorphisec is powered by Moving Target Defense, enabling advanced ransomware prevention that blocks such\r\nattacks deterministically, without any prior knowledge or required updates.\r\nArtifacts\r\nNOTE: Morphisec prevented this attack immediately, without using rules, signatures or any other type of prior\r\nknowledge. The rules and hash below are provided as a service to the community and to other security solutions\r\nwho do need and use prior knowledge to detect attacks.\r\nPDB path:\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 8 of 10\n\nUnlike old BitPaymer samples which had PDB path resemblance to Dridex samples. Some of the newer samples,\r\nwhich are packed with a new custom packer have – ‘RWKGGE.PDB’ pdb path.\r\nYARA Rule:\r\nrule BitPaymer {\r\nmeta:\r\ndescription = “Rule to detect newer Bitpaymer samples. Rule is based on BitPaymer custom\r\npacker”\r\nauthor = “Morphisec labs”\r\nstrings:\r\n$opcodes1 = {B9 ?? 00 00 00 FF 14 0F B8 FF 00 00 00 C3 89 45 FC}\r\n$opcodes2 = {61 55 FF 54 B7 01 B0 FF C9 C3 CC 89 45 FC}\r\ncondition:\r\n(uint16(0) == 0x5a4d) and ($opcodes1 or $opcodes2)\r\n}\r\nSHA1:\r\n47ff3a11ca6f1c088799afaaafadcd46b89f44ac\r\n94b37a49c91f8bae7817be8892520c8e50ce62d5\r\nfea875bee31434f43bba4384cade7bba83af6404\r\n66bb444ea7e54b7f6b6a1305bed3556191ceeaf2\r\nbabcc902eb4fda6824a9f63fea9267e21eb256ae\r\n3752eaae8633c361a26aa763e2688ecf62c1a61f\r\nbc2b35e453a31cda3b430ff25391c66899981d2a\r\nadf3580cc8115d206ed15a881bb8144dec068b18\r\n8abc0909a346553236e05f2fa8c12da7925440d0\r\n84b1513647a3c15614741724e4cbec32e7b4af69\r\n195157993bffdd51e4bd2fe2ac5fcc0971033db7\r\n233aa2f1d460d9588607933b8cab1844efeff5db\r\nAbout the author\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 9 of 10\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nhttps://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework"
	],
	"report_names": [
		"bitpaymer-ransomware-with-new-custom-packer-framework"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434664,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ab77c8136fc9f91ad17d160d1be8ea28cb891a2.pdf",
		"text": "https://archive.orkl.eu/1ab77c8136fc9f91ad17d160d1be8ea28cb891a2.txt",
		"img": "https://archive.orkl.eu/1ab77c8136fc9f91ad17d160d1be8ea28cb891a2.jpg"
	}
}