{
	"id": "6fdb7f21-bb83-4bf9-844b-79b1123d0584",
	"created_at": "2026-04-06T00:14:00.140652Z",
	"updated_at": "2026-04-10T13:11:37.608748Z",
	"deleted_at": null,
	"sha1_hash": "20050eb56a7e9ae7822224694f46580fe4f77d47",
	"title": "New SYK Crypter Distributed Via Discord",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3336360,
	"plain_text": "New SYK Crypter Distributed Via Discord\r\nBy Hido Cohen\r\nArchived: 2026-04-05 14:03:34 UTC\r\nWith 50% more users last year than in 2020, the number of people using the community chat platform Discord is\r\ngrowing at a blistering pace. This has led cybercriminals to refine and expand malicious attack use cases for the\r\nplatform. In this threat research report, Morphisec reveals how threat actors are using Discord as part of an\r\nincreasingly popular attack chain with a new SYK crypter designed to outwit signature and behavior-based\r\nsecurity controls. \r\nMorphisec’s Threat Labs team is on the cutting edge of threat research in this area. Our researchers previously\r\ndissected other Discord-related threats like Babadeda and NFT-001. We can report that as Discord has expanded\r\nfrom a gaming messaging app to broader use, it’s being used to distribute a crypter we named SYK.\r\nThe attack chain preceding the SYK crypter deployment demonstrates a new evolution of how threat actors abuse\r\nDiscord’s CDN (content delivery network). As a conduit for new, highly innovative crypters, Discord plays an\r\nimportant role in a campaign that starts with targeted phishing emails directed at organizations in various sectors.\r\nThe attack chain we saw comprises two main components; a .NET loader (which we refer to as DNetLoader) and\r\na .NET crypter (SYK Crypter). This crypter delivers many malware families, such as AsyncRAT, njRAT,\r\nQuasarRAT, WarzoneRAT, NanoCore RAT, and RedLine Stealer, putting organizations in every sector and\r\nindustry at risk. \r\nInitial Infection\r\nTo lure new victims, attackers disguise the malware as a purchase order using file names such as Purchase\r\nOrder.exe, New_Order_*.exe, AMAZON_ORDER*PDF.ex, etc. The following example is delivered as a phishing\r\nemail:\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 1 of 19\n\nPhishing email containing the Discord malware\r\nIf this deception works, the victim opens and executes the attachment and the infection begins. \r\nTechnical Analysis\r\nBefore diving into the analysis, let’s look at the execution chain:\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 2 of 19\n\nMalware execution flow\r\nThis execution flow consists of two stages and a final payload. The first stage is the downloader. It connects to a\r\nhard coded Discord CDN endpoint and downloads encrypted data. The data, once decrypted, is the second stage—\r\nthe crypter. This second stage loads into the memory and is responsible for decrypting the final payload, which is\r\nstored as a PE resource. It includes antivirus evasion, persistence setup, and injection of the final payload to a\r\nnewly initiated process.\r\nDiscord CDN as Malware Distributor\r\nSteps 1-2\r\nIf you’re unfamiliar with the Discord CDN, it enables Discord users to create and contribute to topic-based text\r\nchannels. There, users share photos, videos, voice messages, and executable files, all of which are stored on\r\nDiscord CDN servers—including malware masquerading as legitimate files. \r\nThe URL format for a specific file is as follows: \r\nhxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}\r\nIn this context, the DNetLoader is identified by the filename, a three digit number. Let’s look inside the code:\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 3 of 19\n\nFirst stage malicious code\r\nThe first stage is pretty straightforward. The malware downloads the next stage from Discord CDN where the file\r\nname is hardcoded and used as the decryption key. The decryption algorithm is just a subtraction of the file name\r\nfrom each byte in the downloaded data.\r\nOnce decoded, the malware loads it into memory and creates an instance of the first exported type. Then the\r\nexecution moves to the next stage. In other cases, the instance name is explicitly noted, usually with type name\r\n“B”. \r\nDNetLoader in the Wild\r\nAt the time of this post’s writing, we observed the following malware distribution initiated by the DNetLoader.\r\nNote that the SYK crypter is only one variant; additional crypters have been delivered by the same loader.\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 4 of 19\n\nFinal payloads distributed by DNetLoader\r\nBesides the RedLine infostealer, all malware families are RATs (remote access trojans), with Async RAT the most\r\ncommon. We also extracted some of the C2 servers (this list is not exhaustive):\r\nPayload C2\r\nAsync RAT joseedward5001[.]ddns[.]net:1515\r\nbendito2714[.]duckdns[.]org:7090\r\nsgrmbroker[.]com:4404\r\ndedicatedlambo9[.]ddns[.]net:1515\r\nglengaidos2881[.]ddns[.]net:1515\r\npolarjwns[.]xyz:8808\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 5 of 19\n\nPayload C2\r\nenero2022[.]con-ip[.]com:3028\r\nmijamajor[.]hopto[.]org:4872\r\nNanoCore RAT windapts[.]ddns[.]net:1608\r\nnjRAT\r\ndiosamor27[.]duckdns[.]org:8899\r\nnipuelputas[.]myftp[.]org:1788\r\nQuasar RAT gu3rr4[.]duckdns[.]org:5965\r\nRedLine Stealer\r\nlunovim957[.]duckdns[.]org:42543\r\ncrossred9188[.]duckdns[.]org:29580\r\nasheesh[.]duckdns[.]org:5519\r\nhustlegang[.]duckdns[.]org:34261\r\nWarZone RAT\r\ndreams2reality[.]duckdns[.]org:2612\r\n185.19.85[.]163:9961\r\n185.140.53[.]174:2404\r\n Mapping payload to C2\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 6 of 19\n\nIn the next section we explain how the next stage, the SYK crypter, decrypts its component, how to extract its\r\nconfiguration, and the AV evasion and persistence techniques in place.\r\nThe SYK Crypter\r\nSteps 3-5\r\nBefore diving deeper into the .NET crypter, note that we found that the same crypter was delivered by loaders\r\nother than the DNetLoader. However, they all had a resource named SYKSBIKO in common—the encrypted\r\npayload. For this reason, we dubbed it the SYK Crypter.\r\nAs with other crypters, this crypter has a payload decryption method, control flow manipulation, strings and\r\nconstant obfuscation, AV detection, persistence, and anti-debugging features. We examine each capability and\r\nexplain how it’s implemented.\r\nConfiguration Extraction / Strings Obfuscation\r\nThe SYK crypter holds its configuration inside an obfuscated string represented as a byte array:\r\nEncrypted byte array and access functions\r\nThe crypter starts with a string de-obfuscation technique. Each string can be accessed and used by a predefined\r\nfunction which hardcodes its length and offset in a large byte array. The de-obfuscation algorithm is just XOR\r\nwith 170 and the current index, so we can use the following Python script:\r\nencrypted = [231, 216, 235, …] \r\nba_encrypted = bytearray(encrypted)\r\nba_decrypted = bytearray(encrypted)\r\nfor counter, i in enumerate(ba_encrypted):\r\n    ba_decrypted[counter] = (i ^ counter ^ 170) \u0026 0xff\r\nA similar method is used as part of an Agent Tesla delivery campaign.\r\nAmong all setting strings inside the configuration, the important ones are the final payload decryption key, list of\r\nAV solutions services and process names, and a small .NET delegator (base64 encoded).\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 7 of 19\n\nDecrypted configuration\r\nAs you can see above, several strings are still encrypted. The crypter uses subtraction encryption for those, with\r\nthe keys also stored as part of the configuration.\r\nString decryption algorithm\r\nSecurity Solutions Detection\r\nThe crypter checks for the existence of a set of security solutions using the following two methods. \r\nBy calling GetProcessByName:\r\nBy checking if a path exists.\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 8 of 19\n\nThese actions happen many times throughout the execution, each time with different solution names and/or file\r\npaths. The list of process names and paths are in the appendix at bottom. Note that if a security vendor is\r\nidentified, the malware will abort the current functionality.\r\n“Anti-Debugging”\r\nFor this task, the crypter implements a popular anti-debugging technique by inspecting the value inside\r\nDebugger.IsAttached:\r\nAnti-debugging function\r\nPersistence\r\nOn its first run, the crypter copies itself to the Startup folder by executing a small javascript file:\r\nvar FSO = WScript.CreateObject(“Scripting.FileSystemObject”); try {\r\nFS0.MoveFile(“\u003cexecution_path\u003e\\malware.exe”, “%AppData%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\malware.exe”);} catch(err) {}\r\nThis javascript file is executed from the %Temp% directory:\r\nNext, the following command is executed:\r\nAt this point the malware runs from the Startup folder again, so the current instance is killed:\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 9 of 19\n\nThe final payload injection starts if the malware execution path is the Startup folder.\r\nFinal Payload Injection\r\nPayload Decryption and Deobfuscation\r\nBefore moving forward, we need to understand where the final payload is located and how it’s decrypted. We can\r\ndivide this process into four steps:\r\n1. Read the decryption key from the config—the first element\r\n2. Read resource bytes from SYKSBIKO.Properties.Resources.a\r\n3. Use the key to decrypt the resource’s bytes \r\n4. Deflate the result \r\nThe final payload decryption algorithm is a bit more complicated than the previous algorithms.\r\nThe decryption starts from initializing a new 256 unsigned integer array with its index values.\r\nArray initialization\r\nNext, it uses the extracted decryption key to alter the values inside the initialized array:\r\nAltering array values\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 10 of 19\n\nOnce the alteration is completed, the array is ready to be used for payload decryption.\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 11 of 19\n\nAs part of the decryption, before XORing the values there is another swapping, as seen earlier. Then an index is\r\ncalculated from the sum of the swapped values. The encrypted data is XORed with the value of the array inside\r\nthe index.\r\nThe end result is a deflated compressed representation of the final payload. So all that’s left to do is decompress\r\nthe result and get the final payload. \r\nProcess Hollowing Injection\r\nThe SYK crypter uses Process Hollowing as its preferred injection method. It creates a new process—\r\nRegAsm.exe or the named process according to the configuration—and injects the decrypted final payload into it.\r\nIt’s interesting how the WinAPI functions get loaded into memory. The SYK malware uses the .NET Delegator in\r\nits configuration to create a delegate for each function.\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 12 of 19\n\nHere, the malware loads the Base64 additional assembly, denoted by “s”, and calls its\r\nClassLibrary1.Class1.GetDelegateForFunctionPointer function. This delegates to the given function address. The\r\nlibrary and function name are encrypted in the configuration.\r\nThe crypter will create delegation to all APIs in the same manner. For example, the following snippet loads\r\nkernel32!GetThreadContext:\r\nWhere the strings are decrypted to: kernel32 and GetThreadContext.\r\nDefending Against the SYK Crypter\r\nThis attack chain delivers a crypter that is persistent, features multiple layers of obfuscation, and uses\r\npolymorphism to maintain its ability to avoid detection by security solutions, demonstrating a further escalation of\r\nthe cybersecurity threat level. By combining a freely available messaging app with a powerful crypter, threat\r\nactors have made it easier to conduct attacks that signature-based security solutions cannot stop.\r\nIn response, organizations urgently need to acknowledge an important fact. You can no longer depend on malware\r\nhaving recognizable signatures or behaviors. To stop this continued threat evolution, it’s vital to prevent threats by\r\nmaking attack surfaces inherently dynamic and hostile to intruders like the SYK crypter by implementing a zero\r\ntrust architecture (ZTA).\r\nEnabling a zero-trust environment for endpoints, including Microsoft and Linux servers, Morphisec’s Moving\r\nTarget Defense (MTD) technology stops polymorphic threats like the SYK crypter. Instead of waiting to react to\r\nattacks that have already happened, MTD prevents advanced threats from getting a foothold in the first place.\r\nMTD morphs application memory, shifting and shrinking the attack surface from threats like SYK, preventing\r\npayload deployment. \r\nWant to learn more about how combining Moving Target Defense with zero trust works? To see how Morphisec\r\nstops threats like the SYK crypter and other advanced attacks, read the white paper: Zero Trust + Moving Target\r\nDefense: The Ultimate Ransomware Strategy. \r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 13 of 19\n\nAppendix\r\nSecurity Solutions Strings\r\nProcess Names\r\nAVGUI\r\nBgScan\r\nBgWsc\r\nBullGuardBhvScanner\r\nWSRA\r\na2guard\r\navp\r\navpui\r\nbdagent\r\nbdredline\r\nbdservicehost\r\ndrweb\r\nekrn\r\nmasvc\r\nmbamtray\r\nmfecanary\r\nmfeesp\r\nmfehcs\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 14 of 19\n\nmfemactl\r\nnavapsvc\r\nodscanui\r\nuiSeAgnt\r\nvsserv\r\nPaths\r\nC:Program FilesMcAfeeAgent\r\nC:Program FilesAVAST SoftwareAvastavastUI.exe\r\nC:Program Files (x86)AVAST SoftwareAvastavastUI.exe\r\nC:Program FilesAVGAntivirusAVGUI.exe\r\nC:Program Files (x86)AVGAntivirusAVGUI.exe\r\nC:Program Files (x86)WebrootWRSA.exe\r\nC:Program FilesWebrootWRSA.exe\r\nC:Program Files  (x86)Trend Micro\r\nC:Program FilesKaspersky Lab\r\nIndicators of Compromise\r\nAttachments\r\n64f5839c38382c863ccba737bca9f9726fb395f52bfad3cfabfec0cde05fc47c\r\n11d750682595eef404ad43b2c1e9981dc35bdb180d82709f4d33811a88a8fbfe\r\nbbda6c0478c03c9845285bd399ff04e989106ab461fc773aecb3e03b607b370c\r\n77d7e7c68fdc652d5292d8b474763fb79ec99d2faa9b1d9f6f1c468d0d8f3d87\r\nFirst Stage – Discord Downloader\r\n66eca7b1860d778cfce8e0ad6b66e09e12128cb149208122644c0622e0ba3910\r\n0db1d14dc510cf6310e63b3dba2f2168b35dde1066abfa279881b9752b45d49a\r\n2f2b971a4c04c399427f2c71b4fe7c0c945a9223d66b3325f42c9ade54cf6867\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 15 of 19\n\n4def53afd3cfa7cf644b61a877f18ceed798dc8f62268afb52827ee61280d3ac\r\n07c7268c2f8a736f5c74f9dabfdf5e10c8a4580fdfcf11eaa7e20a88dd52cae8\r\n2775f8771630ffad088473e525e9f7f5bbea7e3314569480eb9efb4767ad1dc6\r\n13d27cdf24f15d418b2197f6d017725bbd26ea1b8db7a61bdd648e90f1d269c5\r\nf9ca68d46bfdd5710abe9d01b9c6de61a0861581b0de9684c202b0c9aff11ccc\r\n769c5c1d9681b468b84a14af0c33ec4ee786f8c7a0eecf7819bd9286cab2d474\r\n561f65daae4410569d883adbb919fe4ea751540330738a3675afdddfe4acf764\r\n1611e88c7df03554eb83b7d5c22610ec8c6bec03c2d52bd451abbf0b9b53687e\r\n6484c71c7cfb6ae4914267ebc7e508665f1996a01c30f46d74494aa540f40eed\r\n43427de4b45f2aa2e6289d1a6d5e6859f4184e5cf638a4b6c185fafca6a85838\r\na72f7b3f503af99c1b930817fe7c14468cf932b924d849d48c84a2b740cd93dc\r\na56025263e68435d2602e821077174aae47ee2944f5719748e653f8f054149b4\r\nbce1723245d13050d1de61f9c8d4ebdf13442208f3baba2326c79d62c3709983\r\nc01c02c1534e41ca75c1ba1fb165252887ed6a5091e0047cf33169f902927503\r\nc04802a977e8d933c30def1dddaee61bbfd0625616960bf05352814b1a002679\r\nc6988c24086656560348185a4d8672463bc19b37c9ff6df4a04810a54127785e\r\nf77dbafd3d7b569f613cb5bb8797d010f5c00ab94de46cfde1a0d550c7167979\r\nfaa38595a083c174ccca2b3be0089dc049b429e9d94a77cc1ed862d395372f2e\r\nfac3c7ee9dda4b577571c7bdd28bb802227bdd36585378da354e6e104deb166c\r\nbc5198ebfbe1f184e4649a6c4c7cc14b990bd440dc8367654115d3b4ee178d06\r\n88a95249594b0466dec732c7fe79dcd49cef9b62f416d9d5dd2c18d2ee4b48c7\r\n008665f46f819b9e514f10522115482f0696b43b194af0766df3bd005502d71e\r\n0e4b58eda9ddb835af5e3f91ed71527c0cfae1284af66a7bff2d3c12d873ef79\r\n709dfdb42be61038697b83df71a329ab080f79e2f1d1bae9b4bc162d9af774b0\r\nDownload URLs\r\nhxxps://cdn[.]discordapp[.]com/attachments/874443728855658568/948367670900846643/885\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 16 of 19\n\nhxxps://cdn[.]discordapp[.]com/attachments/896158305087553560/924658841847726170/981\r\nhxxps://cdn[.]discordapp[.]com/attachments/933520960521400381/933521000300163143/867\r\nhxxps://cdn[.]discordapp[.]com/attachments/875759269977411698/945098629780226158/897\r\nhxxps://cdn[.]discordapp[.]com/attachments/874443728855658568/951729456752508948/910\r\nhxxps://cdn[.]discordapp[.]com/attachments/874443728855658568/946300452096598067/536\r\nhxxps://cdn[.]discordapp[.]com/attachments/874443728855658568/959254345982029855/817\r\nhxxps://cdn[.]discordapp[.]com/attachments/854820268773736493/946915889863860316/778\r\nhxxps://cdn[.]discordapp[.]com/attachments/866351974466977835/950118342172221470/556\r\nhxxps://cdn[.]discordapp[.]com/attachments/900653930571235341/905956542162022420/660\r\nhxxps://cdn[.]discordapp[.]com/attachments/854820268773736493/895128481858474004/804\r\nhxxps://cdn[.]discordapp[.]com/attachments/908007876960854056/928649032665014282/990\r\nhxxps://cdn[.]discordapp[.]com/attachments/873602495736328236/917391419595956234/630\r\nhxxps://cdn[.]discordapp[.]com/attachments/897091209665859596/941748938925563944/982\r\nhxxps://cdn[.]discordapp[.]com/attachments/670204968430600202/886743722224660510/850\r\nhxxps://cdn[.]discordapp[.]com/attachments/955620719667068951/960684830159405056/843\r\nhxxps://cdn[.]discordapp[.]com/attachments/899050420717101059/941477948916138054/632\r\nhxxps://cdn[.]discordapp[.]com/attachments/955620719667068951/956310954029748254/541\r\nhxxps://cdn[.]discordapp[.]com/attachments/874443728855658568/963787231233990706/753\r\nhxxps://cdn[.]discordapp[.]com/attachments/937717676883714128/937717993683705886/616\r\nhxxps://cdn[.]discordapp[.]com/attachments/854820268773736493/921074463716544534/722\r\nhxxps://cdn[.]discordapp[.]com/attachments/899050420717101059/917505272975597598/954\r\nhxxps://cdn[.]discordapp[.]com/attachments/854820268773736493/897577190647029760/582\r\nhxxps://cdn[.]discordapp[.]com/attachments/874443728855658568/955432766999240724/621\r\nhxxps://cdn[.]discordapp[.]com/attachments/960944829708259331/960944846443511828/610\r\nSecond Stage – Decoded\r\n7ccb0bfb6429080048c8be436589144df05e0152871098e291f548fa55a80d12\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 17 of 19\n\n998096ef9182f3a82def92be40f03c3de2bdd563dbd64a56281a221b8275453a\r\n117584349ad009a1ff68d5a68ce38dbbf80687424b6c21100a5027523ea84dd5\r\ne6a003c19f1d67b44cff8b9404f3287a2b503b9332def38d0428676d1828ebed\r\n787b25c1baaf0315d6d75110da49f35c62128555117d04b383db5aac5edd4cdd\r\nec7cc391bb77f62288b026039580d0255cd36b619276a8fdc33af8dfdf9ccf95\r\n38f4f07f187ed0356ebe55962fb404109e4c3db39c97c94581c19ceb09eae3be\r\n8a5b720dcbdcb0bf99377ea2f5f69c25a4d7c19a00f43369c223d7060fec176d\r\n0955d76297f215c9898ea4334875dc10ddaca76dea5ec7bc82c870c6f3368672\r\nf77251430ac4e0c5296f85fdca79de02c442348d661a6412737edc1daa384ad2\r\ncc9f4854d7da2e50860c1e9d49647ddc08ae7ebae8f2fea419b1d42a2282a8b2\r\nae39808c101926b43a96b4e46bd21c0e7876fe07d03ee5e74cf66cde723209a1\r\nb835a0febe1a8710f3cb3861944bf32b2061c195d586d74a8870d06a43305d26\r\nd5aedccb962f751a869f1d8ae0b05c27979e4501877a060d9f5498f18b67408d\r\nfbfc1b9b6e0474ac2e279b1f2e5d4a2484d7e3489b20b34828a7e642b38c0447\r\n0347192b09ab57e6f9108ed139199aef5473da454c1f315fea00d79b0d718dfd\r\nAbout the author\r\nHido Cohen\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 18 of 19\n\nSource: https://blog.morphisec.com/syk-crypter-discord\r\nhttps://blog.morphisec.com/syk-crypter-discord\r\nPage 19 of 19\n\n  https://blog.morphisec.com/syk-crypter-discord  \nOnce the alteration is completed, the array is ready to be used for payload decryption.\n   Page 11 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.morphisec.com/syk-crypter-discord"
	],
	"report_names": [
		"syk-crypter-discord"
	],
	"threat_actors": [],
	"ts_created_at": 1775434440,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20050eb56a7e9ae7822224694f46580fe4f77d47.pdf",
		"text": "https://archive.orkl.eu/20050eb56a7e9ae7822224694f46580fe4f77d47.txt",
		"img": "https://archive.orkl.eu/20050eb56a7e9ae7822224694f46580fe4f77d47.jpg"
	}
}