Cybersecurity researchers have spotted a new high-sophistication malware loader being advertised on dark web forums, marketed as a commercial solution for evading modern endpoint protection.
The tool, dubbed InternalWhisper x ImpactSolutions, is being promoted by a threat actor known as “ImpactSolutions.”
The seller claims the crypter utilizes an AI-driven metamorphic engine capable of rewriting the majority of its code structure for every single build.
This functionality allegedly notes entirely unique, signature-less binaries that can bypass Windows Defender and other major antivirus solutions, maintaining a “Fully Undetectable” (FUD) status over long periods.
According to the forum advertisement, the core innovation of InternalWhisper is its “Metamorphic AI Engine.”
Unlike traditional polymorphic packers that encrypt the payload and change the decryption key, a metamorphic engine completely refactors the underlying code logic while preserving its function.
The threat actor states that the engine “rewrites 99% of the code on every single build,” ensuring that no two generated files share the same file signature or structural patterns.
This approach is designed to defeat static analysis engines and signature-based detection systems, which rely on identifying known malicious code segments.
The service is delivered via an automated web-based panel, allowing customers to generate protected builds in seconds.
Technical Capabilities and Evasion
The crypter reportedly supports both native (C/C++) and .NET binaries across x86 and x64 Windows architectures. The advertisement highlights a lightweight stub size of 100–200KB, which helps the malware blend in with legitimate software components.
Key technical features advertised include:
- Runtime Encryption: Payloads are secured using AES-256 encryption, and strings are encrypted at compile time, only decrypting during execution to prevent reverse engineering.
- Stealth Loading Techniques: The tool offers multiple loading methods, including direct system calls (syscalls) to bypass user-mode hooks used by EDR solutions, and process hollowing to inject malicious code into legitimate suspended processes.
- Signed Binary Sideloading: To further mask malicious activity, the crypter supports sideloading techniques using legitimate, Microsoft-signed executables. This method abuses the trust operating systems place in verified certificates to execute unsigned malicious code.
Commercialization of Evasion
The offering positions InternalWhisper as a professional “Malware-as-a-Service” (MaaS) product. The threat actor provides tiered pricing plans and emphasizes customer support, signaling a focus on repeat business from cybercriminal affiliates.
Additional features aimed at operational security include anti-analysis checks that detect sandboxes or virtual machines, metadata spoofing to mimic legitimate files, and certificate cloning.
By lowering the technical barrier for advanced evasion techniques, services like InternalWhisper allow less-skilled threat actors to deploy malware that can bypass sophisticated enterprise defenses.
Security teams are advised to focus on behavioral detection methods, such as monitoring for unmapped code execution and suspicious memory allocation patterns, as static signatures are unlikely to be effective against metamorphic threats of this nature.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.