04-02-2025, 07:35 PM
How hide stealers?
Stealers are such quiet thieves in the world of cybercrime. They steal passwords, cookies, and bank card data, sitting unnoticed on the victim's computer. But here's the problem: if you just wrote a stealer and threw it on the net, antiviruses like Kaspersky or Windows Defender would immediately raise the alarm. Even VirusTotal, where your file is checked by more than 70 engines, will immediately give you a red flag. To avoid this, professional malware developers use cryptovation - clever disguise techniques that turn their code invisible. Today, we'll break down how it works, from the simple to the techniques that will have antiviruses scratching the back of their heads in 2025. Let's go!
Why do we need crypto in the first place?
Imagine your stealer is a mugger in a bright orange robe walking down the street in broad daylight. Naturally, he will be spotted and captured. Cryptovka is like a dark cloak and mask: it hides the true essence of the program, making it look like harmless software. Antiviruses look for familiar patterns - pieces of code they've already seen in other malware. If you disguise these pieces or hide them so that they appear only at the right moment, the chances of slipping past the defenses increase dramatically. The goal is to achieve the coveted 0/70 on VirusTotal, i.e. complete invisibility. And professionals know how to do it.
Basic obfuscation: first steps in masking
Let's start with a simple one - basic obfuscation. It is like pulling a hood over a robber's head: you can still see his face, but it is not so obvious who he is. Here the code is not encrypted, but simply obfuscated to make it harder to read and analyze.
How does it work?
Let's say you have a stealer that steals passwords. There is a steal_passwords variable in the code - the name speaks for itself. The first thing you do is to rename it to something like x7k9p2m. A person will open the code and think: "What the hell is this?". Antivirus doesn't care about the names, but that's just the beginning. Then they add garbage - pieces of useless code. For example, a loop that adds random numbers a thousand times and does nothing with them. Or a function that supposedly counts something but the result is not used anywhere. The code becomes bloated, chaotic, and static analysis - when antivirus just looks at the file - loses its effectiveness.
Another trick is packaging. You take a program like UPX, which compresses an executable file into a dense lump. When you run such a file, it unzips itself in memory and works as usual. Some older antiviruses miss these tricks because they can't see what's inside until the file runs.
Pros and cons
The plus side is that it's simple and fast. Even a novice can download an open-source obfuscator and make his styler a little less noticeable in half an hour. VirusTotal will have fewer detections - say, 20/70 instead of 30/70. But the downside is obvious: it's a weak defense. Modern antiviruses already know about UPX and similar things, and garbage code doesn't save you from deep analysis. For professionals it is like a child's toy - a starting point, but not a serious level.
Payload encryption: hiding the stuffing
Now the next level is payload encryption, or payload encryption. This is no longer just a hood, but a whole chest with a lock where your styler is hidden. Antivirus only sees the chest, but doesn't know what's inside until someone opens it with a key.
How does it work?
The stealer is the heart of the program that does all the dirty work: steals data, sends it to the server. It is encrypted, for example, using the AES-256 algorithm, a strong encryption that cannot be opened without a key. The styler itself becomes an incomprehensible set of symbols, like an encrypted letter. But to make it work, you need a loader - a small program that knows the key and knows how to decrypt this "lump" right in the computer's memory. When you run the file, antivirus checks it on disk and sees only the downloader. And the loader looks innocent: no suspicious commands, just code that unzips something. Stiller comes to life already in RAM, and there is no trace of it on the disk.
Tricks
To make encryption even stronger, the key can be generated on the fly. For example, it depends on the serial number of the victim's hard disk. The key will be different on each computer, which means that the signature - the pattern that antivirus uses to search for malware - is also unique. Antivirus has to guess, which is almost impossible.
What's the bottom line?
If the loader is written carefully and does not raise suspicions, the result is 0/70 on VirusTotal. Static analysis is powerless because there is no open malware on the disk. But there's a catch: if antivirus is monitoring the program's behavior in real time, it may notice that the bootloader is doing something strange - like climbing into memory or connecting to the network. That's the next level of the game, which we'll talk about later.
Polymorphism: a new look every time
Now imagine that your robber doesn't just hide under a cloak, but puts on a new costume, changes his face and even his gait every time. This is polymorphism, a technique that makes each instance of the stealer unique.
How does it work?
A polymorphic cryptor is like a random mask generator. You write a styler once and then pass it through such a cryptor. It rewrites the code: changes the order of commands, adds random pieces of garbage, rebuilds the structure. As a result, two files that do the same thing - steal passwords - look completely different. Antiviruses look for familiar patterns, but there are none here: every build is a new puzzle.
Suppose you send a styler to two victims. The first file contains a downloader with one set of instructions, the second with another. Even if antivirus catches the first one and adds its signature to the database, the second one will still slip through because it is different.
Tools and examples
There are programs like The Enigma Protector or Themida that do this for you. They take your styler, encrypt it, wrap it in a polymorphic loader, and output a new file. Each time you run the cryptor, the result is unique. For example, the Metamorphic Engine is an engine that rebuilds code on the fly, turning it into a new "organism". One build is 0/70, the second build is also 0/70, although the files don't look alike.
Pros and cons
On the plus side, it breaks signature analysis to pieces. Antivirus has to catch each new variant manually, which is unrealistic if you generate hundreds of copies. Minus - complexity. It is not easy to write a good polymorphic cryptor, and ready-made solutions like Themida cost money. Plus, if you overdo it with garbage, the file may become too big and the victim will suspect something wrong.
FUD scriptors: an invisible man's dream
FUD stands for Fully Undetectable, a completely undetectable cryptor. If before we just hid the robber under a cloak or changed his costumes, now he becomes an invisible man. Such cryptors are the elite of the malware world, and you can't just download them from GitHub. They are either written to order or bought on forums for a decent amount of money, usually between $50 and $500.
How does it work?
FUD-cryptor is a combination of all the best: encryption, polymorphism, and a couple of other clever tricks. Stiller is encrypted so that it looks like a random set of bytes on disk. The loader that decrypts it is disguised as something harmless - for example, a system service like svchost.exe or even a legitimate program like browser update. But the main trick is the constant updating. Professional FUD-cryptors change their signatures almost every day so that antiviruses do not have time to detect them.
Imagine: you run a file, and the antivirus sees only a clean bootloader. It quietly injects a styler into a process like explorer.exe, and it starts its work - stealing data and sending it to the server. On VirusTotal - 0/70, because there is nothing suspicious on disk, and everything happens too quickly and quietly in memory.
Cool moves
One of the tricks is digital signatures. Developers steal certificates from real companies (or buy them) and sign their file. Antivirus looks at it: "Oh, it's software from some LLC, it's okay!" - and lets it pass. For example, 2023 Silent Crypter used stolen certificates and updated its downloaders every 24 hours. Even a week after release, it remained invisible.
Another trick is masquerading as system processes. Stiller is injected into svchost.exe or notepad.exe, and antivirus thinks it's just Windows doing its thing. No extra files, no traces - a clean job.
Where's the catch?
FUD is cool, but not for long. Once a cryptor becomes popular and gets into the hands of too many people, antiviruses start noticing it. After a couple weeks or months, the detections show up and you either have to update the cryptor or find a new one. Plus, it's complex and expensive. Unless you're a pro with coding skills, you can't write such a program yourself - you'll have to pay a lot of money.
Memory Injection: The Invisible Strike
Now forget about files on disk altogether. Memory injection is when a styler lives only in the RAM, like a ghost that cannot be touched. This is the top method for those who want to bypass static analysis completely.
How does it work?
The idea is simple: instead of leaving the executable on the hard disk, you run the styler directly in memory through an already running process. Let's say you have a small downloader - a harmless piece of code. It downloads the encrypted styler from the server (or takes it from the network), decrypts it in memory and injects it into some legitimate process, for example, notepad.exe. Antivirus checks the disk and there is nothing there. VirusTotal is also powerless, because the file as such does not exist.
One way is DLL injection. The loader uses WindowsAPI functions like CreateRemoteThread and LoadLibrary to slip a styler into someone else's process. Another option is PowerShell scripts. You write a script that pulls a peyload from the server and runs it in memory without touching the disk. Everything happens so fast that the victim doesn't even notice.
Case in point
Take the classics - tools like Metasploit or Cobalt Strike. They have been using injections to deliver malware for a long time. Imagine: a C# downloader makes a request to the server, receives an encrypted piece of data, decrypts it in RAM and injects it into msedge.exe. The browser works as if nothing had happened, while the styler quietly collects cookies and passwords.
Pros and cons
Plus - almost complete elusiveness for static analysis. No file - no problem. But there is a risk: modern antiviruses with behavioral analysis (for example, ESET or Malwarebytes) may notice that notepad.exe has suddenly started to access the network or touch system files. This is suspicious, and additional masking is needed.
Bypassing behavioral analysis: fooling observers
Let's say your styler passed static scanning - it's clean as a tear on disk. But antiviruses are not fools: they monitor the program's behavior. Does it go into the registry? Does it dig into the cookies folder? Does it send data to a strange server? If so, even without signatures, they'll catch you. How do you get around that?
Disguised as legitimate software
One way is to pretend to be something familiar. For example, the styler masquerades as a Chrome update. It uses the same system paths (like C:\Program Files\Google\Chrome), calls similar APIs, and even mimics network traffic for updates. Antivirus sees: "Well, it's Chrome, it's fine" - and lets it pass.
Delay before activation
Another trick is the timer. Many antiviruses check a program in a "sandbox" - a virtual environment where they watch what it does. But sandboxes rarely wait long. You add a delay to the styler: it starts, sits quietly for 5-10 minutes, and then starts working. The sandbox has already closed, the antivirus has decided it's clean, and the styler does its thing in the meantime. In 2024, RedLine Stealer used such a trick - it waited for 15 minutes, and was mistaken for a glitchy piece of software, not a threat.
Fake Windows Updates
Even cooler is masquerading as a system update. You name the stealer wuauclt.exe (it's a real Windows Update file), put it in %SystemRoot%, and deliver the peyload via BITS, the background data transfer service that Windows uses for patches. You add a fake Microsoft digital signature (stolen, of course), and antivirus sees the "official update". Such stylers can live in the system for months, pretending to be KB patches.
Anti-Debug and anti-VM: throwing hunters off the scent
Professionals know that their stylers are not only checked by antivirus, but also by analysts in virtual machines (VMs) or debuggers. How to fool them?
Checking the environment
Stiller looks at where it is running. For example, it checks the MAC address of the network card - VMware and VirtualBox start with certain values. Or it looks in the registry for traces of virtualization. If something is wrong, it self-destructs or simply shuts down. The victim will think that the file is broken, and the analyst will be left empty-handed.
Anti-Debug
For debuggers like OllyDbg, there are traps of their own. Stiller calls the IsDebuggerPresent function from the Windows API - it returns "yes" if someone tries to pick it. Or they insert code that breaks the debugger: like division by zero or an infinite loop. In the 2020s, LokiBot did just that - when run in VirtualBox, it would just crash, leaving researchers baffled.
Cryptovation via server management (C2-delivery): less traces, more control
If you want your stealer to be elusive, don't leave anything extra on the disk. C2 delivery (Command-and-Control) is when the bulk of the malware lives on the server rather than in the file, and the victim receives it in pieces.
How does it work?
A tiny downloader runs on the victim's computer - so small that it looks like a harmless script. This loader makes a request to a command and control server via HTTPS, takes the encrypted peyload (the styler itself), decrypts it in memory, and runs it. Only the bootloader is on the disk, which itself doesn't steal or do anything. Antivirus looks at it and thinks: "Well, it's just a little thing, nothing". But the real styler appears only in the RAM and disappears after a reboot.
Tricky moves
To further confuse the trail, peyloads are stored on legitimate platforms. For example, an encrypted file is stored in Google Drive or a Telegram channel, and the downloader pulls it from there. The traffic looks like a normal download of a photo or document - who would suspect? Even cooler - the server changes the peyload every day, adding polymorphism: today one version of the styler, tomorrow another.
What's the bottom line?
Without Internet, the stealer does not work, but this is a plus: antivirus does not see the threat until there is no network activity. If everything is done carefully, VirusTotal is powerless and the detectors are 0/70. On the downside, you need to keep the server alive and invisible, which requires resources and caution.
Code virtualization: your own little world
Now imagine that your stealer is not just a program, but a whole world with its own rules. Code virtualization is when you wrap the malware in your own virtual machine (VM), and it runs only inside it.
How does it work?
You write a styler, and then create a custom engine for it - for example, in C++. This engine emulates a processor with a fictitious architecture, like a simplified RISC. The styler itself is compiled not into regular machine code, but into byte code that only this virtual machine understands. When you run the file, the antivirus only sees the interpreter - a program that executes something. But what exactly? Without deep analysis, you can't figure it out, and it's too long and complicated.
Think about it: antivirus has to first realize that it is a VM, then figure out its logic, and then parse the bytecode. This takes a lot of time, and most defenses just give up.
Tools and pros
There are ready-made solutions like VMProtect that do virtualization for you. Or you can write your own engine if you are a C++ guru. Plus - static analysis is almost useless. Even if antivirus realizes that it's a virtualization, it won't get to the bottom of it without serious efforts. Minus - execution slows down because emulation requires resources and the file may become suspiciously large.
JIT compilation in rantime: building on the fly
JIT (Just-In-Time) is when a styler is born right at runtime, like a Lego constructor that is assembled in the air. This is another step forward from static code.
How does it work?
You write a styler in a language like C# or Java, but you don't compile it into a finished file. Instead, the code is stored encrypted as a set of instructions. The loader decrypts these instructions at startup and compiles them into machine code right in memory, using the built-in JIT compiler. There is nothing ready on disk - just a wrapper that generates the styler on the fly.
Let's say your styler steals passwords. In encrypted form it looks like meaningless garbage. The loader runs, decrypts the pieces of code and reassembles them into a working program in RAM. Antivirus looks at the disk and it's empty, just some wrapper.
Why is that cool?
Static analysis doesn't work here at all - no file, no signatures. Even if an antivirus catches the downloader, it won't know what it's going to do until it runs it. And parsing JITs in real time is higher math for most defenses. Minus - you need skills to work with such languages, and execution may be a bit slower due to compilation.
Payload segmentation: putting the puzzle together
Now imagine your styler is a jigsaw puzzle taken apart and hidden all over the place. Peyload segmentation is when you divide the malware into pieces and reassemble it only in your memory.
How does it work?
You take the styler, split it into three or four pieces and encrypt each one separately. One piece is hidden in a .dll, another in a registry key like HKCU\Software, and the third is loaded from the server. The loader runs, finds all the pieces, decrypts them and glues them together in memory through functions like VirtualAlloc. There is no whole file on disk, just scattered pieces that mean nothing by themselves.
Case in point
Let's say you have a 100KB styler. You divide it up: 30 KB in the .dll, 20 KB in the registry, 50 KB from the C2 server. The bootloader knows where what lies, collects it in RAM, and runs it. Antivirus doesn't just need to find the pieces, it needs to understand that they are related - and that's almost unrealistic without behavior analysis.
Pros and cons
On the plus side, it's incredibly stealthy. Even if one piece is found, it's useless without the rest. The downside is the complexity of implementation. If the loader is poorly written or the server crashed, the styler simply won't build.
Kernel driver disguise: the king of shadows
For the most daring, you can switch the styler to kernel mode. This is like hiding a robber in a police station - he becomes unreachable.
How does it work?
You write the styler as a driver, a program that runs at the Windows kernel level (Ring 0). You use Windows Driver Kit (WDK), encrypt the peyload and disguise it as a legitimate driver, for example, for a video card. Sign the file with a stolen certificate and load it through standard Windows mechanisms. The styler can do anything in the kernel - steal data, intercept input - and most antiviruses can't see it because their scanners work at the user level (Ring 3).
Why is that powerful?
At the core, you are above all defenses. Even EDR (Endpoint Detection and Response) systems like CrowdStrike often can't look that deep without special modules. Plus, the driver looks like part of the system - who would suspect nvdisplay.sys? The downside is risk. Make a mistake in the code and the system will crash with a blue screen. Writing such a thing without experience is suicide.
The real world: what it looks like in practice
We went over crypto techniques, from basic obfuscation to kernel and virtualization. But professionals don't just take one method and hope for the best. They bundle them together like layers of armor and test them in action. Let's break down how these combinations work in practice, and then see how popular stingers like RedLine and Agent Tesla use them to stay invisible.
Examples of bundles: multi-layer defense in action
Binding 1: Polymorphism + Memory Injection + Delay
Let's say you have a styler that steals cookies from your browser. You run it through a polymorphic cryptor - each time a new file with a unique structure, so that antivirus doesn't catch the signature. Then you add a memory injection: the loader injects the styler into msedge.exe, and there is nothing left on the disk - static analysis is a bust. And to fool sandboxes, you set a timer for 10 minutes - the styler waits until the check is over and only then gets into the data. What does it look like? The victim runs the file, the antivirus is silent, the sandbox closes, and 10 minutes later the styler quietly does its job. VirusTotal is 0/70, because there's nothing to catch.
Bundle 2: FUD-cryptor + C2-delivery + Anti-VM
Now another scenario. You take a FUD-cryptor: the styler is encrypted and the loader is signed with a stolen certificate and masquerades as svchost.exe. Antivirus sees the "system" process and lets it through. Next is C2 delivery: the downloader pulls encrypted peyload from the server via HTTPS, pretending to be an Adobe update. There are minimal traces on the disk, just a tiny downloader. And to prevent analysts from figuring it out, you add anti-VM: the code checks the MAC address and shuts down if it's running in VirtualBox. Bottom line: the anti-virus is tricked by the signature, the peyload is invisible, and the researchers lose track of it.
Bundle 3: Virtualization + Segmentation + Upgrade Masking
The third example is for aesthetes. Stiller is wrapped in a virtual machine: its code is turned into bytecode that works only inside a custom engine. Antivirus needs to solve this puzzle, and there's no time. Then you divide the peyload into chunks: one in a .dll, one in the HKCU registry, one from the server. The loader builds them in memory, and the file itself masquerades as wuauclt.exe with a fake Microsoft signature. Antivirus thinks it's a Windows patch, doesn't see the connection between the pieces and doesn't understand virtualization. The result: complete invisibility and no detections.
These bundles are not fantasy, but working schemes. Each layer covers the weaknesses of the other: polymorphism breaks signatures, injection hides traces, C2 minimizes evidence, and anti-VM confounds analysts. Wizards test them in isolated environments, tweaking them for new threats.
Now let's see how popular stylers apply these ideas to real life.
RedLine Stealer: polymorphism and C2 to the max
RedLine, the king of 2022-2024, was a master of combinations. Its base bundle was polymorphism and C2 delivery. Each build was generated with a unique structure, and peyload was pulled from the Telegram channel, masquerading as normal traffic. When antiviruses started catching requests, the developers replaced C2 with segmentation: some code was hidden in the registry, some in trash files. Plus they added a delay of 15 minutes to fool sandboxes. The result: 0/70 on VirusTotal for months until the code was leaked to the public.
Agent Tesla: encryption and cloaking with evolution
Agent Tesla, a malware veteran, started with AES encryption and .NET obfuscation wrapped in Themida, which gave him a head start over static analysis. Then he masqueraded as an SMTP client, adding garbage code to throw off behavioral engines. When Themida started to be detected, the developers switched to JIT-compilation: the code was built in memory, and only the wrapper was left on disk. Detections appeared 2-3 months after the new version, and not all antiviruses had detections.
LokiBot: anti-debug and injection
LokiBot liked the combination of memory injection and anti-debug. It injected itself into legitimate processes like explorer.exe, and at startup it checked if there was a debugger or a virtualizer. If it noticed VirtualBox by MAC-address, it would shut down. When the injection started being caught by API calls, developers switched to PowerShell scripts to deliver pyload. This kept it in the shadows until antiviruses updated behavioral databases.
These stylers are a living example of how bundles and replacements work in a case. Developers follow antivirus, read forums and sharpen their tools. They know that if they hesitate, their creation will show up red on VirusTotal. The game is non-stop.
Beginning and end: drawing a line
We started from the basics - basic obfuscation, where the code was simply confused to confuse, and got into such wilds as kernel drivers and homomorphic encryption, where the styler becomes part of the system or is not decrypted at all. Along the way, we broke down how professionals in 2025 are combining techniques into killer bundles: polymorphism with injection and latency, FUD scripts with C2 and anti-VM, virtualization with segmentation and masking. And if something becomes obsolete, they find a replacement - they change packaging to encryption, polymorphism to JIT, C2 to segmentation. Real-world examples like RedLine, Agent Tesla, and LokiBot have shown how this works in combat: each layer of defense reinforces the other, each trick adapts to new threats.
It's not just a set of techniques - it's a whole science of survival in the digital war. Professionals test their stingers in isolated labs, keep an eye on antivirus updates, and keep their trump cards up their sleeves. Today they have 0/70 on VirusTotal, tomorrow it's 5/70, the day after tomorrow it's 20/70, and the game starts all over again. To stay ahead, they write their own cryptors, hide them in the shadows, and change tactics every couple months. It's a cat-and-mouse game of brinksmanship: the stake is the victim's data, the prize is elusiveness. And while the malware masters keep their hands on the pulse, antiviruses will be panting, trying to catch up with them in this endless race.
