In 2021, crypters like HCrypt and Snip3 joined the ranks of other “as-a-service” threats, often delivering remote access trojans (RAT).
Pairs With This Song
Take Action


Throughout 2021, Red Canary observed operators using crypters HCrypt and Snip3 to deliver various remote access trojans (RAT). Like other “as-a-service” threats, the developers sell or lease these crypters to affiliates who use them to carry out campaigns, expanding the threat landscape and creating new economies of scale. The “as-a-Service” ecosystem lowers the technical barrier to entry, allowing operators to purchase capabilities rather than develop them.


HCrypt is a crypter designed to evade detection and facilitate the download of secondary payloads, often commodity RATs like ASyncRAT, Quasar RAT, and LimeRAT. We’ve seen adversaries leveraging HCrypt to gain initial access via phishing attachments, often relying on image files (IMG or ISO) containing a script (VBS or JavaScript) that launches HCrypt. The malicious script downloads an additional script hosted on various publicly accessible sites such as GitHub and Discord. Without intervention, this execution chain ultimately leads to a RAT infection.


Like HCrypt, Snip3 is a crypter designed to evade detection and download additional malware. Snip3 is often delivered via phishing emails that prompt victims to download a VBA file. To evade detection, Snip3 leverages obfuscated PowerShell commands that contain the RemoteSigned flag. We’ve observed these PowerShell commands connecting to top4top[.]io, a legitimate file-sharing service popular in Egypt, Algeria, and Yemen.

Because these crypters are used by various adversaries delivering different payloads, it can be difficult to cluster seemingly disparate activity. However, as public reporting on Snip3 has discussed specific targeting of victims in the aviation sector, and we know of at least one set of operators that consistently relies on phishing emails with lures related to travel or cargo, we’ve associated activity we saw in 2021 with a campaign Cisco calls Operation Layover. We assess with high confidence that certain activity we observed in 2021 overlaps with this long-running operation, also chronicled by researchers from Morphisec and Microsoft. While this campaign involved attempts to deliver ASyncRAT or RevengeRAT to victims, similar intrusion chains deliver other publicly available RATs.

As HCrypt and Snip3 operate “as-a-service,” groups that purchase these capabilities may leverage them in different ways. The detection analytic below represents one opportunity to detect both crypters, empowering defenders to intervene before adversaries deliver additional malware.

Detection opportunity

WScript spawning Powershell using Invoke-Expression

This detection analytic will identify wscript.exe spawning PowerShell that uses Invoke-Expression or one of its aliases. HCrypt and Snip3 use PowerShell Invoke-Expression cmdlets to execute downloaded PowerShell content filelessly, without the downloaded scripts touching disk.

process == powershell.exe
parent_process== wscript.exe
command_line_includes  ('iex' || 'invoke' || 'invoke-expression')