Unpacking the packer ‘pkr_mtsi’

Technical analysis of the pkr_mtsi Windows packer observed since April 2025 being used in large-scale malvertising and SEO-poisoning campaigns to distribute trojanized installers. The report describes consistent early-stage behaviors (memory allocation followed by dense small immediate-value writes), obfuscated API/PEB-based resolution (including ZwAllocateVirtualMemory hashing), pervasive junk GDI calls, anti-debugging and other evasive techniques, a modified/stripped UPX intermediate stage, and a defective NtProtectVirtualMemory usage that yields a high-signal detection opportunity; it concludes with comprehensive YARA rules and detection guidance.