Avast researchers reveal the OnionCrypter

The malware uses multiple layers to hide its information

Today’s malware is a lot like a car. Both cars and malware are made up of many components that enable them to run. Cars have different parts such as engines, tires, and steering wheels; malware has loaders, payloads, and command modules. 

Recently, researchers at Avast Threat Labs spent time looking at a specific “part” that malware authors use to make their “cars”. It’s called a “crypter”, which is a tool used to hide malicious parts of code using encryption in an effort to appear as harmless and more difficult to read. Malware authors use this technique to hide their malicious code from researchers, antivirus and security software. 

From a malware author’s point of view, a crypter is an important tool to counter protections against malware. From a researcher point of view, though, being able to identify a crypter helps to better and more quickly identify new malware when that malware has this component in it. 

The digital security and privacy products company’s researchers looked into a specific crypter that it’s calling OnionCrypter. It chose the name because this particular crypter uses multiple techniques to make it harder for researchers, antivirus, and security software to read the information that it protects. 

Put simply, the information is hidden within the layers of the “onion” of its encryption. OnionCrypter is unusual because of the way it uses multiple layers to hide its information. It’s important to note that the name reflects the many layers this crypter uses, and it’s in no way related to the Tor browser or network. 

Avast has found that OnionCrypter has been used by more than 30 different malware families since 2016. This includes some of the best known-most prevalent families such as Ursnif, Lokibot, Zeus, AgentTesla, and Smokeloader among others. In the last three years, the company has protected almost 400,000 users around the world from malware protected by this crypter. Its widespread use and length of time in use make it a key malware infrastructure component.  

One of the goals of malware authors is to keep their creation undetected by antivirus software. One possible solution for this is a crypter which encrypts a program so it looks like meaningless data. It creates an envelope for this encrypted program also called a stub. This stub looks like an innocent program, it may also perform some tasks which are not harmful at all but its primary task is to decrypt a payload and run it.   

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
By Mike Gee

By Mike Gee

PC World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?