The ‘DTPacker’ downloader used fake Liverpool Football Club sites as lures for several weeks, a report finds.
A new .NET malware packer being used to deliver a variety of remote access trojans (RATs) and infostealers has a fixed password named after Donald Trump, giving the new find its name, “DTPacker.”
DTPacker was discovered by researchers at Proofpoint who, since 2020, have observed it being used by several threat actors in campaigns targeting hundreds of thousands of end users with thousands of malicious messages across many sectors.
One notable campaign, which lasted for weeks, used fake Liverpool Football Club (LFC) sites to lure users to download DTPacker, ultimately delivering Agent Tesla, the researchers found. Ave Maria, AsyncRAT and FormBook have also been spread by DTPacker, according to a Monday report.
“From March 2021, Proofpoint observed samples using websites for soccer clubs and their fans being used as download locations,” the report said. “These websites appear to have been decoys, with the actual payload locations embedded in the list.”
The ProofPoint team that discovered DTPacker reported that the malware is notable because it delivers both