What Makes Invalid Printer Loader so Stealthy? By Arnold Osipov & Michael Dereviashkin Archived: 2026-04-05 14:37:00 UTC The Aurora stealer is a notorious Golang-based information stealer that’s been gaining popularity from the end of 2022 through the first quarter of 2023. The Morphisec Threat Labs team has been tracing its activities using our prevention telemetry along with dark-web activities.   In this blog post however, we aren’t going to cover Aurora, but a sometimes overlooked, extremely critical component of the attack delivery chain. The component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader we named “in2al5d p3in4er.”   The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique we describe in detail in this post.   We also cover new techniques with significant negative outcomes that represent a concerning change in the landscape, especially in the new era of ChatGPT.  Delivery  Threat actors always find innovative ways to spread malware and access sensitive information. One growing trend is using YouTube as a malware distribution channel. Hackers take over popular YouTube accounts and post videos with links to malicious websites or downloads. To increase video visibility, they use search engine optimization (SEO) tags to make a video rank higher in search results.   Stealing YouTube accounts is a lucrative business for cybercriminals. Many underground forums and marketplaces offer these services for a fee. The threat actor in this post appears to be using this method as a service, including the websites the videos redirect to.  https://blog.morphisec.com/in2al5d-p3in4er Page 1 of 15 Compromised YouTube channel The service uses artificial intelligence (AI) to generate videos. This streamlines the process of creating convincing budget backed content. And it allows threat actors to automate diverse lure creation, such as fake software that tricks users into clicking on links.  https://blog.morphisec.com/in2al5d-p3in4er Page 2 of 15 Example video with download instructions  The above video redirects to different websites that look legitimate.  https://blog.morphisec.com/in2al5d-p3in4er Page 3 of 15 Fake websites redirected by the YouTube video  The service the threat actors are using enables the creation of decoy websites that look identical to the original websites. These fake websites use similar URLs, logos, and branding to convincingly appear legitimate. Once a user visits one of these sites, they’re enticed to download an application containing malware or lured to enter sensitive/personal information into the decoy generated website. These websites use geographical targeting to deliver content based on the visitor’s geo-location. The website below is a clone of jobseeker.com  https://blog.morphisec.com/in2al5d-p3in4er Page 4 of 15 Decoy website for jobseeker.com  Technical Analysis  This loader uses a surprisingly simple yet highly effective evasion technique. It leverages the usage of CreateDXGIFactory function of dxgi.dll library to query the vendor ID of the graphics card installed on a system. The ID is then compared against a whitelist of vendor IDs; specifically, the 0x10de (NVIDIA), 0x1002 (AMD), and 0x8086 (Intel) graphics cards. If the vendor ID doesn’t match the whitelisted values, the loader makes it appear as a benign application by terminating itself.  https://blog.morphisec.com/in2al5d-p3in4er Page 5 of 15 The anti-VM function checks the graphics vendor ID  After checking the vendor IDs, the loader decrypts the final payload in separate chunks and injects it into `sihost.exe` using a process hollowing technique.  https://blog.morphisec.com/in2al5d-p3in4er Page 6 of 15 Payload decryption routine  Some samples of the loader do not use the process hollowing technique. Instead, they allocate memory to write the decrypted payload into the allocated memory, and then make a call to the payload entry point (EP).  https://blog.morphisec.com/in2al5d-p3in4er Page 7 of 15 Payload injection  During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using a XOR key: “in2al5d p3in4er” (invalid printer), as illustrated in the figure below.    String decryption routine using the “invalid printer” key  Another element helping the low detection rate on VirusTotal is the threat actor using Embarcadero RAD Studio to generate executables. Embarcadero RAD Studio is an integrated development environment (IDE) for building software applications that runs on various platforms and operating systems.  Examining samples from our investigation, we found the threat actor is compiling executables using several options from the Embarcadero IDE. Those with the lowest detection rate on VirusTotal are compiled using “BCC64.exe”, a new Clang based C++ compiler from Embarcadero. This compiler is based on a different code base than a “Standard Library” (Dinkumware) or “Runtime Library” (compiler-rt) and generates optimized code which changes the entry point and execution flow. This breaks security vendors’ indicators, such as signatures composed from “malicious/suspicious code block.”  https://blog.morphisec.com/in2al5d-p3in4er Page 8 of 15 A zero detection rate on VirusTotal  The loader is particularly successful in evading sandboxes and virtual machines. As seen in the image below, the loader has evaded execution by multiple sandboxes. This is a testament to the effectiveness of the loader’s simplicity, which leverages a specific aspect of system configuration to achieve exceptional stealth.  https://blog.morphisec.com/in2al5d-p3in4er Page 9 of 15 https://blog.morphisec.com/in2al5d-p3in4er Page 10 of 15 Example of sandboxes that fail to execute   Note: A similar technique for evading virtual machines was covered in 2016. It checked the graphics’ card vendor ID using the DXGI.dll. Although the anti-VM techniques observed in the wild are generally based on blacklisting, this approach uses an inverse check which only searches for graphic cards the target victim should own. This helps to evade sandbox analysis that searches for blacklists of graphic cards.  Defending Against in2al5d p3in4er  Malware loaders like in2al5d p3in4er are essentially basic delivery. They establish a foothold between an attacker and their compromised target and are typically the first stage of an attack.   The attackers behind in2al5d p3in4er are combining it with widely accessible social engineering tools for a high impact campaign that takes over popular YouTube accounts and directs viewers to convincing looking fake websites. They’re then enticed to download malware from a fake website.  One of the first steps to avoid compromise by in2al5d p3in4er is training organization employees how to detect social engineering campaigns: ensuring URLs are legitimate, and not downloading cracked versions of software.  But as the detection ratio of zero on VirusTotal makes clear, reactive, detection-based cybersecurity technologies like those used in NGAV, EPP, and EDR/XDR are barely capable of detecting and stopping in2al5d p3in4er. Stopping this loader requires different technology.   Morphisec’s Automated Moving Target Defense (AMTD) technology takes a fundamentally different approach to cybersecurity that isn’t detection-based. Instead of waiting for malware to breach a system before detecting it, Morphisec proactively secures runtime memory to prevent any unauthorized code—like in2al5d p3in4er—from executing, regardless of whether a recognizable signature or behavior pattern exists for it. To learn more about https://blog.morphisec.com/in2al5d-p3in4er Page 11 of 15 Moving Target Defense, read the free white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy.  IOCs (Indicators of Compromise)  Malicious/Compromised Websites cv-builder[.]site siamaster.com[.]mx chatgptex[.]us allfreesoftware[.]online all-free-software[.]online  Hash – Loader C2 – Aurora 380978251b2c661ff15b2610763770dfa14fb360ad0ca64243e0d5d5893952cb   66383d931f13bcdd07ca6aa50030968e44d8607cf19bdaf70ed4f9ac704ac4d1   cdb09a5df36fece23bc3c9df101fe65724327b827ec43aa9ce0b3b76bdcc3101   adb6808f97191d961687b5f30f35c843686699d70f482f4d7d8d4f41e84faba6   2c540f5220b7ba3cd6efcd2fe8091fc24f8da11be4b1782c4e502261ef48da82   0b478f9ed769603bba01ad7a2d6936a28424e4be05c8833869976aa77a98fed3   bb9a16632ae94bbfae713f56c51dc5d2ff6199ccd051e2285ea90c6dfeb5d4b1   b299898055262e065afd5b0479b2e3a190e314cab3ead3722b2cdbe3534a2681   11cc3e4b8413a1b8c0c0d7193c2f26670d4765f96e797140c809d4a0655f9cb4   c1dafead343c67d203d2fa9050967fea868fc517f8d66b23cc166642d8b7985b   e18455804b8a6a008a2b357265802ad35f6441bbcc359ab5bd5df994f201ab36  45.15.156.182:8081  https://blog.morphisec.com/in2al5d-p3in4er Page 12 of 15 Hash – Loader C2 – Aurora 095b9e90e1c9d7d95f362fe381512da60bb31727c068c6dfabe055ab387aed82   737f6c8e1a8ea4a9064a0cfaa4ceed495481d9bb133ed5d6bfeda3a83351af9d   a4cab01d61d8c18876d4b53d52de365fb9b512430371fd4217359159f3c507f6   e8cccc9f9b124826c0e43897f0e21124b4b0cd7991f434b0dd7838bed7e361b3   3c3622ab5f449166ad804ee73fde6aedf6934aa960701f7edefca9b5aedfffd8  45.15.156.70:8081  5c9f5082e44e91e1aed15261e82216e59f2668ec5b25348526aad98472c5d722   fa2cfb4b76c38ab4cef4592ed703a8866ffffec67adbe9ea057882b47a4bd7b7   780285087fb35911db189ba92c6c8d251a1f640b3a473e0ce7ea27f59cde492b  45.132.106.77:8081  Df99a29a0fd7f62e3798260b2068c711a5356346b7b0c0477e30643138345fba   ffd1f682649507fd850a8faf76b4c3c498dbcbef70bd0202126b91f24d5c1408  199.127.62.3:8081  7ed926820973cd3c14b783109094604369e37cc06cb08a338b856f4e5cf2684c   cc79ef40d93c939c43624504461ec5ddf8279624ae88a739e7382c181e18104b  94.142.138.73:8081  1beb12971e69fb4040d60a6bd3667cb24c48a3db0fbf814d629874ee40312405  94.142.138.84:8081  4accbeea02170cb5215fbe937fabae030986f84ee7acc983cc15ce120e073861  94.142.138.218:8081  e827cde3646048c9e09a61eeb45cc37f1d8a20190762c513ddf1e9dc13e4b897  199.247.24.79:8081  5e4b6272dc2d955c5e52c755ea598f44e324b04466a4e3bacf6c9d845345322b  5.34.180.208:8081   This blog was co-authored with Michael Dereviashkin. About the author https://blog.morphisec.com/in2al5d-p3in4er Page 13 of 15 Arnold Osipov Malware Researcher Arnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by Microsoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at Morphisec 6 years ago, Arnold was a Malware Analyst at Check Point. Michael Dereviashkin https://blog.morphisec.com/in2al5d-p3in4er Page 14 of 15 Source: https://blog.morphisec.com/in2al5d-p3in4er https://blog.morphisec.com/in2al5d-p3in4er Page 15 of 15