Advanced Malware Crypter “Castlecrypt” Targets Antivirus and SmartScreen Protections

Recently, a new malware encryption service has been made available to hackers on an underground forum called “CastleCrypt.”

Cybercriminals actively promote this encryption service as a tool that lets them encrypt files and evade common security defenses such as Windows Defender, Chrome, and Microsoft SmartScreen.

These evasion capabilities make tools like this particularly dangerous when paired with effective social engineering, as seen in attacks exploiting current events to deliver payloads.

It is also a sign of how well-organized and occurring in a commercialized manner that malware groups operate today.

CastleCrypt Enters the Underground Market

A hacker operating under the name “castle” markets CastleCrypt and sells it as a “premium crypter” for executable (.exe) files.

Unlike automated “packers” or generic encryption services, CastleCrypt markets itself as delivering a custom, encrypted build for every file and privately providing it to each customer.

Since most antivirus engines rely on signature-based detection, CastleCrypt creates unique encrypted builds for each client, preventing pattern matching and significantly complicating malware detection and analysis.

CastleCrypt claims to have the potential to bypass several layered security measures, such as Windows Defender, Chrome-based security, and Microsoft SmartScreen.

Although criminals often make these claims in underground ads, they show that threat actors actively work to stay ahead of the enterprise-grade security used by most organizations.

Technical Features Suggest Advanced Evasion Capabilities

The advanced technical sophistication of the features offered in CastleCrypt suggests an enhanced capability to evade detection from cybersecurity vendors.

The two-phase polymorphic downloader, one of CastleCrypt’s key components, utilizes multiple layers of encryption to prevent static detection and offers multiple dynamic execution paths to allow resident malware to ‘mutate’ throughout various infections.

Other key characteristics include: Deployment of random key generation for XOR encryption, anti-sandbox techniques, and use of a self-written launcher separated from the encryption layer.

These components intend to defeat all known signature-based and behavioral detection systems.

CastleCrypt’s anti-sandbox features detect controlled analysis environments and delay or alter execution to evade discovery.

Analysts say its advanced design mirrors sophisticated malware families, making it especially attractive to high-level cybercriminal groups.

Commercial-Grade Malware Pricing Overview

CastleCrypt is offering three general categories of service at three price points:

• Two-Phase Crypt: 65.00
• Private Launcher + Crypt: 140.00
• SmartScreen Bypass + Crypt: 200.00

Offering a SmartScreen bypass for an added premium highlights the growing push to defeat Windows security prompts that have long slowed the spread of malware.

Industry experts are saying that this type of pricing model represents a more advanced level of maturity of the cybercrime economy.

Additionally, sellers now offer these more sophisticated tools to the public with customer support and ongoing updates for paying customers.

Development of Commercial-Grade Malware to Avoid Detection

When developing new malware, CastleCrypt shifts its focus away from payload capabilities and instead prioritizes stealth, persistence, and adaptability once the malware is deployed and active in the wild.

Because each individual client has many different configurations (builds) of their software, the signature created from the first client’s infection will not be useful for blocking subsequent infections.

The impact of this is that by having to create new indicators of compromise (IOCs) continuously, security vendors have significantly increased workloads.

The rise of polymorphic downloaders and encrypted layers of code is enabling cybercriminals to sidestep existing scanning technologies.

This puts greater pressure on defenders to depend on more advanced behavioral detection and AI/ML technology-based detection strategies to protect and detect against cybercriminal activities.

Expanding Malware-as-a-service Market

CastleCrypt is a clear example of the expansion of the malware-as-a-service (MaaS) market, where cybercriminals increasingly use third-party services instead of creating malware frameworks themselves.

This commercial model extends beyond desktop tools, with services like the ‘Albiriox’ Android malware also being rented on dark web platforms to hijack mobile devices.

These cybercriminals are relying on third-party vendors for encryption, loaders, command and control infrastructure, and methods of distributing traffic.

This means that they can concentrate on phishing campaigns and social engineering and leave the heavy lifting of developing the technical parts to other businesses.

Experts in the security community are stating that the division of labor has been a major contributing factor to the dramatic increase in the speed and creativity with which cybercriminals are creating new forms of cybercrimes.