This article examines a malicious packer family based on the Nullsoft Scriptable Install System (NSIS) used by cybercriminals to protect various malware from detection. It describes the structure of packed samples, and presents an approach for creating a tool that automatically unpacks the encrypted payloads, enabling further analysis. The packer is widespread, used to deliver loaders, stealers, and Remote Access Trojans (RATs), suggesting it’s likely a commodity sold on dark web markets. Developing automated unpacking tools facilitates analysis by providing access to unencrypted malware versions.

Click for details.