DTPacker is a rather peculiar malware, as it contains both packer functionality, as well as acts as a downloader. Such a combination of utilized methods to deliver next-stage threatening payloads is quite unusual, to say the least. After all, packers have the payload data embedded into them from the start, while downloaders fetch the payload from an online resource where it is hosted.
Details about the malware were released to the public in a report by the researchers who have been following the threat since 2020. In the time since then, DTPacker has been observed as part of numerous attack operations to deliver a wide range of next-stage threats, such as infostealers (Agent Tesla and FormBook) and Remote Access Trojans or RATs (Ave Maria and AsyncRAT). DTPacker also has been deployed by several different threat actors, including TA2536 and TA2715 and even APT (Advanced Persistent Threat) groups.
The DTPacker attack chain usually begins with the distribution of bait emails that carry a weaponized attachment. The attached file could be a corrupted document or a compressed executable. When the victims try to interact with the file, the packer executable will be delivered to their computers. DTPacker runs in two stages and is equipped with various obfuscation techniques to avoid analysis, sandbox environments and anti-malware security products.
The first stage of the malware's actions includes the decoding of an embedded or downloaded resource into a DLL. The second stage then extracts the payload from the DLL and proceeds to execute it. The second stage uses a fixed key which initially was 'trump2020' but later versions switched it to a fixed ASCII key 'Trump2026.' The name of the malware is based on these fixed keys.
It also should be noted that the decoy websites were designed to appear as legitimate Liverpool FC and fan-based pages. DTPacker used these websites as the download locations from where the final payloads were fetched.