{
	"id": "5d74d781-66f1-4164-b336-360396b17d83",
	"created_at": "2026-04-06T00:19:10.750235Z",
	"updated_at": "2026-04-10T03:21:41.706307Z",
	"deleted_at": null,
	"sha1_hash": "6134a3b835079cdeba865a3833b2d91604a6ffd4",
	"title": "What Makes Invalid Printer Loader so Stealthy?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3349708,
	"plain_text": "What Makes Invalid Printer Loader so Stealthy?\r\nBy Arnold Osipov \u0026 Michael Dereviashkin\r\nArchived: 2026-04-05 14:37:00 UTC\r\nThe Aurora stealer is a notorious Golang-based information stealer that’s been gaining popularity from the end of\r\n2022 through the first quarter of 2023. The Morphisec Threat Labs team has been tracing its activities using our\r\nprevention telemetry along with dark-web activities.  \r\nIn this blog post however, we aren’t going to cover Aurora, but a sometimes overlooked, extremely critical\r\ncomponent of the attack delivery chain. The component that makes Aurora’s delivery stealthy and dangerous is a\r\nhighly evasive loader we named “in2al5d p3in4er.”  \r\nThe in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using\r\nadvanced anti-VM (virtual machine) technique we describe in detail in this post.  \r\nWe also cover new techniques with significant negative outcomes that represent a concerning change in the\r\nlandscape, especially in the new era of ChatGPT. \r\nDelivery \r\nThreat actors always find innovative ways to spread malware and access sensitive information. One growing trend\r\nis using YouTube as a malware distribution channel. Hackers take over popular YouTube accounts and post videos\r\nwith links to malicious websites or downloads. To increase video visibility, they use search engine optimization\r\n(SEO) tags to make a video rank higher in search results.  \r\nStealing YouTube accounts is a lucrative business for cybercriminals. Many underground forums and\r\nmarketplaces offer these services for a fee. The threat actor in this post appears to be using this method as a\r\nservice, including the websites the videos redirect to. \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 1 of 15\n\nCompromised YouTube channel\r\nThe service uses artificial intelligence (AI) to generate videos. This streamlines the process of creating convincing\r\nbudget backed content. And it allows threat actors to automate diverse lure creation, such as fake software that\r\ntricks users into clicking on links. \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 2 of 15\n\nExample video with download instructions \r\nThe above video redirects to different websites that look legitimate. \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 3 of 15\n\nFake websites redirected by the YouTube video \r\nThe service the threat actors are using enables the creation of decoy websites that look identical to the original\r\nwebsites. These fake websites use similar URLs, logos, and branding to convincingly appear legitimate. Once a\r\nuser visits one of these sites, they’re enticed to download an application containing malware or lured to enter\r\nsensitive/personal information into the decoy generated website. These websites use geographical targeting to\r\ndeliver content based on the visitor’s geo-location.\r\nThe website below is a clone of jobseeker.com \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 4 of 15\n\nDecoy website for jobseeker.com \r\nTechnical Analysis \r\nThis loader uses a surprisingly simple yet highly effective evasion technique. It leverages the usage of\r\nCreateDXGIFactory function of dxgi.dll library to query the vendor ID of the graphics card installed on a system.\r\nThe ID is then compared against a whitelist of vendor IDs; specifically, the 0x10de (NVIDIA), 0x1002 (AMD),\r\nand 0x8086 (Intel) graphics cards. If the vendor ID doesn’t match the whitelisted values, the loader makes it\r\nappear as a benign application by terminating itself. \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 5 of 15\n\nThe anti-VM function checks the graphics vendor ID \r\nAfter checking the vendor IDs, the loader decrypts the final payload in separate chunks and injects it into\r\n`sihost.exe` using a process hollowing technique. \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 6 of 15\n\nPayload decryption routine \r\nSome samples of the loader do not use the process hollowing technique. Instead, they allocate memory to write\r\nthe decrypted payload into the allocated memory, and then make a call to the payload entry point (EP). \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 7 of 15\n\nPayload injection \r\nDuring the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these\r\nnames using a XOR key: “in2al5d p3in4er” (invalid printer), as illustrated in the figure below. \r\n \r\nString decryption routine using the “invalid printer” key \r\nAnother element helping the low detection rate on VirusTotal is the threat actor using Embarcadero RAD Studio to\r\ngenerate executables. Embarcadero RAD Studio is an integrated development environment (IDE) for building\r\nsoftware applications that runs on various platforms and operating systems. \r\nExamining samples from our investigation, we found the threat actor is compiling executables using several\r\noptions from the Embarcadero IDE. Those with the lowest detection rate on VirusTotal are compiled using\r\n“BCC64.exe”, a new Clang based C++ compiler from Embarcadero. This compiler is based on a different code\r\nbase than a “Standard Library” (Dinkumware) or “Runtime Library” (compiler-rt) and generates optimized code\r\nwhich changes the entry point and execution flow. This breaks security vendors’ indicators, such as signatures\r\ncomposed from “malicious/suspicious code block.” \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 8 of 15\n\nA zero detection rate on VirusTotal \r\nThe loader is particularly successful in evading sandboxes and virtual machines. As seen in the image below, the\r\nloader has evaded execution by multiple sandboxes. This is a testament to the effectiveness of the loader’s\r\nsimplicity, which leverages a specific aspect of system configuration to achieve exceptional stealth. \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 9 of 15\n\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 10 of 15\n\nExample of sandboxes that fail to execute  \r\nNote: A similar technique for evading virtual machines was covered in 2016. It checked the graphics’ card vendor\r\nID using the DXGI.dll. Although the anti-VM techniques observed in the wild are generally based on blacklisting,\r\nthis approach uses an inverse check which only searches for graphic cards the target victim should own. This helps\r\nto evade sandbox analysis that searches for blacklists of graphic cards. \r\nDefending Against in2al5d p3in4er \r\nMalware loaders like in2al5d p3in4er are essentially basic delivery. They establish a foothold between an attacker\r\nand their compromised target and are typically the first stage of an attack.  \r\nThe attackers behind in2al5d p3in4er are combining it with widely accessible social engineering tools for a high\r\nimpact campaign that takes over popular YouTube accounts and directs viewers to convincing looking fake\r\nwebsites. They’re then enticed to download malware from a fake website. \r\nOne of the first steps to avoid compromise by in2al5d p3in4er is training organization employees how to detect\r\nsocial engineering campaigns: ensuring URLs are legitimate, and not downloading cracked versions of software. \r\nBut as the detection ratio of zero on VirusTotal makes clear, reactive, detection-based cybersecurity technologies\r\nlike those used in NGAV, EPP, and EDR/XDR are barely capable of detecting and stopping in2al5d p3in4er.\r\nStopping this loader requires different technology.  \r\nMorphisec’s Automated Moving Target Defense (AMTD) technology takes a fundamentally different approach to\r\ncybersecurity that isn’t detection-based. Instead of waiting for malware to breach a system before detecting it,\r\nMorphisec proactively secures runtime memory to prevent any unauthorized code—like in2al5d p3in4er—from\r\nexecuting, regardless of whether a recognizable signature or behavior pattern exists for it. To learn more about\r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 11 of 15\n\nMoving Target Defense, read the free white paper: Zero Trust + Moving Target Defense—The Ultimate\r\nRansomware Strategy. \r\nIOCs (Indicators of Compromise) \r\nMalicious/Compromised Websites\r\ncv-builder[.]site\r\nsiamaster.com[.]mx\r\nchatgptex[.]us\r\nallfreesoftware[.]online\r\nall-free-software[.]online \r\nHash – Loader C2 – Aurora\r\n380978251b2c661ff15b2610763770dfa14fb360ad0ca64243e0d5d5893952cb \r\n 66383d931f13bcdd07ca6aa50030968e44d8607cf19bdaf70ed4f9ac704ac4d1 \r\n cdb09a5df36fece23bc3c9df101fe65724327b827ec43aa9ce0b3b76bdcc3101 \r\n adb6808f97191d961687b5f30f35c843686699d70f482f4d7d8d4f41e84faba6 \r\n 2c540f5220b7ba3cd6efcd2fe8091fc24f8da11be4b1782c4e502261ef48da82 \r\n 0b478f9ed769603bba01ad7a2d6936a28424e4be05c8833869976aa77a98fed3 \r\n bb9a16632ae94bbfae713f56c51dc5d2ff6199ccd051e2285ea90c6dfeb5d4b1 \r\n b299898055262e065afd5b0479b2e3a190e314cab3ead3722b2cdbe3534a2681 \r\n 11cc3e4b8413a1b8c0c0d7193c2f26670d4765f96e797140c809d4a0655f9cb4 \r\n c1dafead343c67d203d2fa9050967fea868fc517f8d66b23cc166642d8b7985b \r\n e18455804b8a6a008a2b357265802ad35f6441bbcc359ab5bd5df994f201ab36 \r\n45.15.156.182:8081 \r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 12 of 15\n\nHash – Loader C2 – Aurora\r\n095b9e90e1c9d7d95f362fe381512da60bb31727c068c6dfabe055ab387aed82 \r\n 737f6c8e1a8ea4a9064a0cfaa4ceed495481d9bb133ed5d6bfeda3a83351af9d \r\n a4cab01d61d8c18876d4b53d52de365fb9b512430371fd4217359159f3c507f6 \r\n e8cccc9f9b124826c0e43897f0e21124b4b0cd7991f434b0dd7838bed7e361b3 \r\n 3c3622ab5f449166ad804ee73fde6aedf6934aa960701f7edefca9b5aedfffd8 \r\n45.15.156.70:8081 \r\n5c9f5082e44e91e1aed15261e82216e59f2668ec5b25348526aad98472c5d722 \r\n fa2cfb4b76c38ab4cef4592ed703a8866ffffec67adbe9ea057882b47a4bd7b7 \r\n 780285087fb35911db189ba92c6c8d251a1f640b3a473e0ce7ea27f59cde492b \r\n45.132.106.77:8081 \r\nDf99a29a0fd7f62e3798260b2068c711a5356346b7b0c0477e30643138345fba \r\n ffd1f682649507fd850a8faf76b4c3c498dbcbef70bd0202126b91f24d5c1408 \r\n199.127.62.3:8081 \r\n7ed926820973cd3c14b783109094604369e37cc06cb08a338b856f4e5cf2684c \r\n cc79ef40d93c939c43624504461ec5ddf8279624ae88a739e7382c181e18104b \r\n94.142.138.73:8081 \r\n1beb12971e69fb4040d60a6bd3667cb24c48a3db0fbf814d629874ee40312405  94.142.138.84:8081 \r\n4accbeea02170cb5215fbe937fabae030986f84ee7acc983cc15ce120e073861  94.142.138.218:8081 \r\ne827cde3646048c9e09a61eeb45cc37f1d8a20190762c513ddf1e9dc13e4b897  199.247.24.79:8081 \r\n5e4b6272dc2d955c5e52c755ea598f44e324b04466a4e3bacf6c9d845345322b  5.34.180.208:8081 \r\n This blog was co-authored with Michael Dereviashkin.\r\nAbout the author\r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 13 of 15\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nMichael Dereviashkin\r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 14 of 15\n\nSource: https://blog.morphisec.com/in2al5d-p3in4er\r\nhttps://blog.morphisec.com/in2al5d-p3in4er\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/in2al5d-p3in4er"
	],
	"report_names": [
		"in2al5d-p3in4er"
	],
	"threat_actors": [],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6134a3b835079cdeba865a3833b2d91604a6ffd4.pdf",
		"text": "https://archive.orkl.eu/6134a3b835079cdeba865a3833b2d91604a6ffd4.txt",
		"img": "https://archive.orkl.eu/6134a3b835079cdeba865a3833b2d91604a6ffd4.jpg"
	}
}