{
	"id": "1c010ce1-a010-4937-9be2-83289606ee8c",
	"created_at": "2026-04-06T00:14:30.087065Z",
	"updated_at": "2026-04-10T03:24:23.459796Z",
	"deleted_at": null,
	"sha1_hash": "7bf258a7762f1bb3a049287074f875242dcf2437",
	"title": "Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98310,
	"plain_text": "Following the Scent of TrickGate: 6-Year-Old Packer Used to\r\nDeploy the Most Wanted Malware - Check Point Research\r\nBy etal\r\nPublished: 2023-01-30 · Archived: 2026-04-05 15:28:29 UTC\r\nResearch by: Arie Olshtein\r\nExecutive summary\r\nInitially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware\r\nfrom EDRs and antivirus programs.\r\nOver the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list,\r\nsuch as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more.\r\nTrickGate managed to stay under the radar for years because it is transformative – it undergoes changes\r\nperiodically. This characteristic caused the research community to identify it by numerous attributes and\r\nnames.\r\nWhile the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are\r\nstill in use today.\r\nCheck Point Threat Emulation successfully detects and blocks the TrickGate packer.\r\nIntroduction\r\nCyber criminals increasingly rely on packers to carry out their malicious activities. The packer, also referred to as\r\n“Crypter” and “FUD” on hacking forums, makes it harder for antivirus programs to detect the malicious code. By\r\nusing a packer, malicious actors can spread their malware more easily with fewer repercussions. One of the main\r\ncharacteristics of a commercial Packer-as-a-Service is that it doesn’t matter what the payload is, which means it\r\ncan be used to pack many different malicious samples. Another important characteristic of the packer is that it is\r\ntransformative – the packer’s wrapper is changed on a regular basis which enables it to remain invisible to security\r\nproducts.\r\nTrickGate is a good example of a strong, resilient Packer-as-a-Service, which has managed to stay under the cyber\r\nsecurity radar for many years and continually improve itself in different ways. We managed to track TrickGate’s\r\nbreadcrumb trail despite its propensity for rapidly changing its outer wrapper.\r\nAlthough a lot of excellent research was conducted on the packer itself, TrickGate is a master of disguises and has\r\nbeen given many names based on its varied attributes. Its names include “TrickGate”, “Emotet’s packer”, “new\r\nloader”, “Loncom”, “NSIS-based crypter” and more. We connect the dots from previous researches and with high\r\nconfidence point to a single operation that seems to be offered as a service.\r\nTrickGate over the years.\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 1 of 16\n\nWe first observed TrickGate at the end of 2016. Back then, it was used to deliver Cerber ransomware. Since that\r\ntime, we are continually observing TrickGate and found it is used to spread all types of malwares tools, such as\r\nransomware, RATs, info-stealers, bankers, and miners. We noticed that many APT groups and threat actors\r\nregularly use TrickGate to wrap their malicious code to prevent detection by security products. TrickGate has been\r\ninvolved in wrapping some of the best-known top-distribution malware families, such as Cerber, Trickbot, Maze,\r\nEmotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook,\r\nRemcos, Lokibot, AgentTesla, and many more.\r\nFigure 1 – TrickGate over the years.\r\nTrickGate Distribution.\r\nWe monitored between 40 to 650 attacks per week during the last 2 years. According to our telemetry, the threat\r\nactors who use TrickGate primarily target the manufacturing sector, but also attack education facilities, healthcare,\r\nfinance and business enterprises. The attacks are distributed all over the world, with an increased concentration in\r\nTaiwan and Turkey. The most popular malware family used in the last 2 months is Formbook with 42% of the total\r\ntracked distribution.\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 2 of 16\n\nFigure 2 – TrickGate statistics during Oct-Nov 2022.\r\nAttack flow:\r\nFollowing is an overview of the attack flow that is commonly found in attacks involving TrickGate.\r\nInitial Access\r\nThe initial access made by the packer’s users can vary significantly. We monitor the packed samples spreading\r\nmainly via phishing emails with malicious attachments, but also via malicious links.\r\nInitial Files\r\nThe first stage mainly comes in the form of an archived executable, but we monitored many file types and delivery\r\npermutations that lead to the same shellcode. We observed the following file types at the first stage:\r\nArchive: 7Z * ACE * ARJ * BZ * BZ2 * CAB * GZ * IMG * ISO * IZH * LHA * LZ * LZH * R00 * RAR *\r\nTAR * TGZ * UU * UUE * XZ * Z * ZIP * ZIPX * ZST.\r\nExecutable: BAT * CMD * COM * EXE * LNK * PIF * SCR.\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 3 of 16\n\nDocument: DOC * DOCX * PDF * XLL * XLS * XLSX * RTF.\r\nShellcode Loader\r\nThe second stage is the shellcode loader which is responsible for decrypting and running the shellcode.\r\nWe noticed 3 different types of code language used for the shellcode loader. NSIS script, AutoIT script and C all\r\nimplement similar functionality.\r\nShellcode\r\nThe shellcode is the core of the packer. It’s responsible for decrypting the payload and stealthily injecting it into a\r\nnew process.\r\nPayload\r\nThe payload is the actual malicious code and is responsible for carrying out the intended malicious activity. The\r\npayloads differ according to the actor who used the packer.\r\nFigure 3 – Attack flow.\r\nExamples of the different attack flows we observed in the past year:\r\nFEB 24, 2022\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 4 of 16\n\nFigure 4 – LNK flow\r\nRAR: 3f5758da2f4469810958714faed747b2309142ae\r\nLNK: bba7c7e6b4cb113b8f8652d67ce3592901b18a74\r\nURL: jardinaix[.]fr/w.exe\r\nEXE 63205c7b5c84296478f1ad7d335aa06b8b7da536 \r\nMar 10, 2022\r\nFigure 5 – PDF flow.\r\nPDF: 08a9cf364796b483327fb76335f166fe4bf7c581\r\nXLSX: 36b7140f0b5673d03c059a35c10e96e0ef3d429a\r\nURL: 192.227.196[.]211/t.wirr/XLD.exe\r\nEXE:  386e4686dd27b82e4cabca7a099fef08b000de81 \r\nOct 3, 2022\r\nFigure 6 – SFX flow.\r\n7Z: fac7a9d4c7d74eea7ed87d2ac5fedad08cf1d50a\r\nEXE: 3437ea9b7592a4a05077028d54ef8ad194b45d2f \r\nNov 15, 2022\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 5 of 16\n\nFigure 7 – AutoIT flow.\r\nR11: 755ee43ae80421c80abfab5481d44615784e76da\r\nEXE: 666c5b23521c1491adeeee26716a1794b09080ec\r\nShellcode loader\r\nThe Shellcode loader usually contains a single function which is responsible for decrypting and loading the\r\nshellcode into memory. These are the basic steps:\r\n1. Read the encrypted shellcode. The encrypted shellcode can be stored in a file on the disc, in the “.rdata”\r\nsection or as a resource.\r\n2. Allocate memory for the shellcode, usually by calling VirtualAlloc.\r\n3. Decrypt the shellcode.\r\n4. Trigger the shellcode. As we explain below, this can be done using a direct call or by callback functions.\r\nFigure 8 – Shellcode loader – deobfuscated AutoIT version.\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 6 of 16\n\nFigure 9 – Shellcode loader C version.\r\nIn the more recent versions of TrickGate, the shellcode loader abuses the “Callback Functions” mechanism. The\r\nloader utilizes many native API calls which take a memory address as an argument of a callback function. Instead\r\nof the Callback Function, the loader passes on the address of the newly allocated memory which holds the\r\nshellcode.  When Windows reaches the point of the registered events, the DriverCallback executes the shellcode.\r\nThis technique breaks the flow of the behavior we’re monitoring by having Windows OS run the shellcode at an\r\nunknown time. In the shellcode loader above, you can see two examples of this in the images\r\n“EnumTimeFormatsA” and “EnumSystemCodePagesW”. \r\nShellcode similarity and TrickGate vacation\r\nUsually, when we find code similarity between unrelated malware families, it is more likely that the actors copied\r\nfrom a mutual resource or shared some pieces of code. For a long time, we noticed a unique injection technique\r\nthat incorporated the use of direct kernel syscalls, but we didn’t realize the significance, thinking it was probably a\r\nfragment of shared code.  What caused us to suspect that this unique injection may be controlled solely by one\r\nactor is the fact that we saw an occasional “time-off” in operation, and it is very unlikely that several different\r\ngroups will take a break at exactly the same time. The last break, which was more than 3 months long (from June\r\n13, 2022 to September 26, 2022) was an opportunity for us to verify our suspicion, and dive into the shellcode.\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 7 of 16\n\nFigure 10 – TrickGate in the last 2 years.\r\nTo verify our suspicion, we started to analyze samples across the timeline.\r\nWe started our analysis by comparing a fresh sample to an older one. For this test we used\r\n2022-12_Remcos: a1f73365b88872de170e69ed2150c6df7adcdc9c\r\ncompared to\r\n2017-10_CoinMiner: 1a455baf4ce680d74af964ea6f5253bbeeacb3de\r\nWe know from the behavioral analysis that a similarity exists in the shellcode, so we ran the samples till the point\r\nthe shellcode is decrypted in memory and then we dumped the shellcode to the disk. Next, we used the Zynamics\r\nBinDiff tool (owned by Google) to check similarities in both shellcodes. The results showed a 50% similarity\r\nbetween the tested shellcodes. Fifty percent over a long period of time – more than five years – for quite a large\r\npiece of shellcode (~5kb) is unexpected. This automatically raised suspicions that this might be a maintained\r\nshellcode, but we needed further evidence in the form of similarity analysis over shorter periods of times to see if\r\nit had changed gradually.\r\nFigure 11 – BinDiff result on shellcode extracted 2022-12_Remcos:\r\na1f73365b88872de170e69ed2150c6df7adcdc9c VS 2017-10_CoinMiner:\r\n1a455baf4ce680d74af964ea6f5253bbeeacb3de.\r\nFor further analysis, we took random samples from the past 6 years. For each sample, we dumped the shellcode\r\nand checked the similarity of the result over time. As you can see in the following graph, the results point to small\r\nchanges made over time. On the left side we see samples dating from 2016 till 2020 showing about 90%\r\nsimilarity. On the right side, we see a forked version showing a high similarity within itself, but lower similarity\r\nwith the original version on the left.\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 8 of 16\n\nFigure 12 – Bindiff result on extracted shellcodes.\r\nWe then dived into the gap between the shellcodes to see the impact caused by:\r\nDifferent compilers\r\nObfuscations\r\nEvasion modules\r\nPersistence modules (run the packet payload at the next login)\r\nFunction order\r\nLocal variables vs structures\r\nAfter we cleaned the gap noise, we got the core functionality of the packer. The author constantly maintained the\r\nshellcode but used “building blocks” as described in the next section.\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 9 of 16\n\nFigure 13 – Control flow graph – on the main injection function. Diffing 2016-07_ Cerber:\r\n24aa45280c7821e0c9e404f6ce846f1ce00b9823 VS 2022-12_Remcos:\r\na1f73365b88872de170e69ed2150c6df7adcdc9c\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 10 of 16\n\nFigure 14 – Diffing kernel direct call of NtWriteVirtualMemory 2022-12_Remcos:\r\na1f73365b88872de170e69ed2150c6df7adcdc9c VS 2016-07_ Cerber: \r\n24aa45280c7821e0c9e404f6ce846f1ce00b9823\r\nTrickGate shellcode’s construction elements\r\nAs mentioned above, the shellcode has been constantly updated, but the main functionalities exist on all the\r\nsamples since 2016. An overview of the shellcode’s building-blocks can be described as follows:\r\nAPI hash resolving.\r\nLoad to memory and decrypt the payload.\r\nInjection using direct kernel calls.\r\nManually map a fresh copy of ntdll.\r\nDynamically retrieve the kernel syscall numbers.\r\nInvoke the desired syscalls.\r\nInject and run the payload.\r\nAPI hash resolving.\r\nWhen we analyzed the TrickGate code, no constant strings can be found. Many times, TrickGate intentionally\r\nadds clean code and debug strings to throw off any analysis. To hide the needed strings and its intentions,\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 11 of 16\n\nTrickGate uses a common technique called API hashing, in which all the needed Windows APIs are hidden with a\r\nhash number. Until January 2021, TrickGate used to hash the shellcode string with CRC32. In the newer version,\r\nTrickGate started using a custom hash function.\r\nThe equivalent Python hashing functions used in the last 2 years:\r\nh += ord(c) + (((h \u003e\u003e 1) \u0026amp; 0xffffffff) | ((h \u003c\u003c 7) \u0026 0xffffffff))\r\ndef hash_str_ror1(str): h = 8998 for c in str: h += ord(c) + (((h \u003e\u003e 1) \u0026amp; 0xffffffff) | ((h \u003c\u003c 7) \u0026 0xffffffff))\r\nreturn h \u0026 0xffffffff\r\ndef hash_str_ror1(str):\r\n h = 8998\r\n for c in str:\r\n h += ord(c) + (((h \u003e\u003e 1) \u0026amp; 0xffffffff) | ((h \u003c\u003c 7) \u0026 0xffffffff))\r\n return h \u0026 0xffffffff\r\ndef hash_str21(str): h = 8998 for c in str: h = ord(c) + (0x21 * h) return h \u0026 0xffffffff\r\ndef hash_str21(str):\r\n h = 8998\r\n for c in str:\r\n h = ord(c) + (0x21 * h)\r\n return h \u0026 0xffffffff\r\nThe following Kernel32 API names have been hashed in TrickGate samples:\r\nAPI NAME CRC32 hash_str_ror1 hash_str21\r\nCloseHandle 0xB09315F4 0x7fe1f1fb 0xd6eb2188\r\nCreateFileW 0xA1EFE929 0x7fe63623 0x8a111d91\r\nCreateProcessW 0x5C856C47 0x7fe2736c 0xa2eae210\r\nExitProcess 0X251097CC 0x7f91a078 0x55e38b1f\r\nGetCommandLineW 0xD9B20494 0x7fb6c905 0x2ffe2c64\r\nGetFileSize 0xA7FB4165 0x7fbd727f 0x170c1ca1\r\nGetModuleFileNameW 0XFC6B42F1 0xff7f721a 0xd1775dc4\r\nGetThreadContext 0x649EB9C1 0x7fa1f993 0xc414ffe3\r\nIsWow64Process 0x2E50340B 0xff06dc87 0x943cf948\r\nReadFile 0x95C03D0 0x7fe7f840 0x433a3842\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 12 of 16\n\nReadProcessMemory 0xF7C7AE42 0x7fa3ef6e 0x9f4b589a\r\nSetThreadContext 0x5688CBD8 0xff31bf16 0x5692c66f\r\nVirtualAlloc 0x9CE0D4A 0x7fb47add 0xa5f15738\r\nVirtualFree 0xCD53F5DD 0x7f951704 0x50a26af\r\nFigure 15 – API hashing.\r\nLoad to memory and decrypt the payload.\r\nTrickGate always changes the way the payload is decrypted, so unpacking solutions that we observe now will not\r\nwork on the next update. Most of the samples use a custom decryption method but on older samples we also saw\r\nknown cyphers such as RC4 implementation or the use of Windows APIs for encryption.\r\nInjection using direct kernel calls:\r\nAfter decrypting the payload, the shellcode then injects it into a newly created process. After the process is created\r\nusing the create_suspended flag, the injection is done by a set of direct calls to the kernel. For every one of these\r\nntdll API calls:  \r\nNtCreateSection\r\nNtMapViewOfSection\r\nNtUnmapViewOfSection\r\nNtWriteVirtualMemory\r\nNtResumeThread\r\nThe following actions are executed:\r\nManually map a fresh copy of ntdll from the disk.\r\nResolve the address of a given hash in the newly mapped ntdll.\r\nDynamically extract the requested System Service Number (SSN).\r\nDirect kernel Invoke with the SSN.\r\nFor Windows 64-bit: Switch to 64-bit mode using “Heaven’s Gate” technique and SYSCALL SSN\r\nFor Windows 32-bit: Call SYSENTER SSN\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 13 of 16\n\nFigure 16 – Function call graph SYSCALL ID from Manually mapped DLL.\r\nThe way TrickGate invokes direct-syscalls is intriguing, as it uses a technique similar to Hell’s Gate. Hell’s Gate is\r\na technique presented publicly in 2020 as a way to dynamically retrieve and execute direct syscall numbers. Here\r\nyou can find samples dating to 2016 which manage to accomplish the equivalent action to retrieve and execute\r\ndirect system calls without the need to maintain a System Service Descriptor Table (SSDT).\r\nFigure 17 – SSN dynamically extracted 2016-07_Cerber:  24aa45280c7821e0c9e404f6ce846f1ce00b9823\r\nThe injection module has been the most consistent part over the years and has been observed in all TrickGate\r\nshellcodes since 2016.\r\nConclusion\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 14 of 16\n\nWe created strings correlating the most wanted malware in the last 6 years to a single Packer-as-a-Service named\r\nTrickGate, whose transformative abilities make it hard to identify and track. Understanding the packer’s building\r\nblocks is of crucial importance to detect the threat, as blocking the packer will protect against the threat in an early\r\nstage, before the payload starts to run.\r\nPackers often get less attention, as researchers tend to focus their attention on the actual malware, leaving the\r\npacker stub untouched. However, the identified packer can now be used as a focal point to detect new or unknown\r\nmalware.\r\nAnalyzed samples.\r\n03d9cbee9522c2c8a267b7e9599a9d245c35c7ac\r\n043ae57e01ebd0a96fa30b92821b712504cfde03\r\n1a455baf4ce680d74af964ea6f5253bbeeacb3de\r\n22f26496f2e8829af9f5cfcd79c47e03fe9a21bb\r\n24aa45280c7821e0c9e404f6ce846f1ce00b9823\r\n30e0181a018fa7dcbd2344dc32adcf77cf840ebe\r\n3437ea9b7592a4a05077028d54ef8ad194b45d2f\r\n3817bad277aa50016e08eed35e92d4a3b5247633\r\n4380044a9517a08514459005836c5f92e4a33871\r\n4f6fa448454b581d6c8e7aa6ed3ef72e66062bf8\r\n666c5b23521c1491adeeee26716a1794b09080ec\r\n75d999d431819311abf8bd048cd084acdcd5f4e1\r\n7f456f8b01fc8866aeed4678a14479b6eaa62fed\r\n975629358bfbba0344ef0dae4d22697ceb2a32b4\r\n977800bd7be3c5c9f2c0dac7f4806e586d8f7b1a\r\n9f20d00b4ec898a33e130720d4d29e94070e1575\r\na1f73365b88872de170e69ed2150c6df7adcdc9c\r\na661541c4cbeb1db859f6cec6c53979b5633c75e\r\nafbe838c881e5b223351ff8fa05ddeb3678581ba\r\nb2d58dfee71ce9c509fab1f00ce04c9526c60695\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 15 of 16\n\ne6dccf4b1fc5ab116b6bc1321346b35dbf42f387\r\nfa5c79321dd4cc2fea795d6ebe2e823abe33ca6f\r\nSource: https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/"
	],
	"report_names": [
		"following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434470,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7bf258a7762f1bb3a049287074f875242dcf2437.pdf",
		"text": "https://archive.orkl.eu/7bf258a7762f1bb3a049287074f875242dcf2437.txt",
		"img": "https://archive.orkl.eu/7bf258a7762f1bb3a049287074f875242dcf2437.jpg"
	}
}