Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Evasive ‘DarkTortilla’ Crypter Delivers RATs, Targeted Malware

Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.

Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.

Likely active since 2015, DarkTortilla was designed to keep malicious payloads hidden from detection software, and was previously seen delivering remote access trojans (RATs) and information stealers – AgentTesla, AsyncRat, NanoCore, and RedLine – as well as targeted payloads such as Cobalt Strike and Metasploit.

Highly configurable and complex, the crypter can also be used for the delivery of addons – additional payloads, decoy documents, and executables – and appears to be very popular among threat actors, with an average of 93 samples submitted to VirusTotal each week between January 2021 and May 2022.

During their analysis of the threat, Secureworks’ researchers have identified code similarities with a crypter that the RATs Crew threat group used between 2008 and 2011, and similarities with the Gameloader malware seen in 2021.

DarkTortilla, which packs robust anti-analysis and anti-tamper controls, is typically delivered via malicious spam, with the observed emails carrying .dmg, .iso, .img, .tar, or .zip attachments.

The spam emails have been customized to match the target’s language, and the researchers have identified samples in English, German, Italian, Bulgarian, Romanian, and Spanish.

Malicious documents delivering DarkTortilla embed the malware’s initial loader as a Packager Shell Object and ask the intended victim to double click it, or feature embedded macros designed to automate the execution of the Packager Shell Object.

The initial loader is a .NET-based executable that is complemented by a .NET-based DLL representing DarkTortilla’s core processor. While the code processor is typically embedded within the loader’s resources, the researchers have seen it being retrieved from public sites such as Pastebin, Textbin, and Paste.

“The initial loader decodes, loads, and executes the core processor. When executed, the core processor extracts, decrypts, and parses its configuration. The encrypted configuration is stored within the .NET resources of the initial loader as bitmap images,” Secureworks explains.

DarkTortilla’s core processor can be configured to display a fake message box, perform anti-VM and anti-sandbox checks, achieve persistence, migrate execution to the ‘temp’ folder, process addon packages, and migrate execution to its install directory.

Next, it injects its payload within the context of the configured subprocess, and can also implement anti-tamper controls, if configured to prevent interference with DarkTortilla’s or the payload’s execution.

Although often overlooked by security researchers, DarkTortilla should be considered a formidable threat, due to its evasion capabilities, configurability, and its use with a wide range of popular and effective malware, Secureworks concludes.

Related: Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware

Related: PLC and HMI Password Cracking Tools Deliver Malware

Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.