Malware analysis

Top 13 popular packers used in malware

Matthew Jones
March 26, 2020 by
Matthew Jones

Malware can wreak havoc on just about any system, and packers help malware stay one step ahead of security software. But what exactly do packers do? How can they be detected? And finally, what are some of the most popular packers used in malware today? 

We will answer these questions and more in this article. But first, let’s take a closer look at packers and how they function.

What is a malware packer?

For many years, packers were used for completely innocent reasons. Often known as a “runtime packer,” this software compresses files and then unpacks itself when a program or file is ready to be executed. 

As technology advanced, this kind of file size compression became less of a necessity. Nonetheless, packers are still used today, primarily for malware files.

In essence, a malware packer is a tool used to mask a malicious file. Packers can encrypt, compress or simply change the format of a malware file to make it look like something else entirely. The process of packer compression or encryption takes the file from its original code to a new state using tried-and-true obfuscation techniques. 

As a result, malware can remain in a system undetected by antivirus software, anti-malware products and other security software, harming the integrity of your system and the security of your data. This is why it is so important to understand how packers can be used in malware. 

However, each packer functions a little differently. You will need to know a little about some of the most popular packers used in malware in order to detect them in your own system.

Top 13 popular packers used in malware

It is important to reiterate that packers are not inherently malicious; they are simply a tool used to make certain malware more effective by being harder to detect. 

In order to protect your system from malware and start reverse-engineering the malicious code, you will need to know what kind of packers are most commonly used in malware. Here are the top 13 most popular packers used in malware today.


UPX is short for the “Ultimate Packer for Executables.” It uses an open-source algorithm that does not require any additional system memory for decompression.

The Enigma Protector

Like most packers, The Enigma Protector is marketed for individuals and businesses who want to protect their files from hacking. Nonetheless, The Enigma Protector is commonly used to obfuscate malware.


MPRESS was originally designed to compress files and decrease application start times. While this free software is extremely useful for regular file compression, it is also easily accessible to hackers and other malware writers.

Exe Packer 2.300

Exe Packer 2.300 is a standard, free software for file compression and decompression. Since it has been around for years, Exe Packer 2.300 is one of the most popular packers for malicious file obfuscation.


ExeStealth is a tool that encrypts files to avoid detection and hacking. Designed by WebToolMaster, this free software is simple to implement and one of the best anti-hacking tools on the market, which also makes it effective at hiding malware code in your system.


Unlike most other packers, Morphine includes its own PE loader, allowing users to encrypt the output of compressed data. The polymorphic engine is also used to create completely unique decryptors for malware.


Themida was developed by Oreans to protect Windows applications from hackers. Unfortunately, it can also be used to encrypt malicious files and complicate attempts to reverse-engineer malware.


MEW is primarily used for smaller malware file compression using the LZMA algorithm. Even though it was designed for small files, it has been updated over time so that it can also obfuscate larger malware files.


The free, simple FSG software compresses both small and large files. While it is popular and commonly used to hide malware code, it is also relatively simple to unpack through a decompression loop that writes the data to the final destination.


PESpin compresses Windows code using MASM. It protects files against patching and disassembling, making it a popular resource for malware authors.


While Andromeda refers to a botnet that has been around since 2011, it is also a custom packer. Custom packers are especially dangerous because they are not as simple to reverse-engineer.


VMProtect is very popular, as it can encrypt a wide range of files, including executable files, drivers and dynamic-link libraries. When an application encrypted by VMProtect is opened, the packer does not decrypt anything; instead, it runs on a virtualized code.


Obsidium works for both 32-bit and 64-bit Windows applications. This software is capable of encrypting, compressing, and obfuscating malware.

How to detect malware packers

Since most malware packers make it difficult to find and analyze malicious code, it may be necessary to use a script specifically designed for packer detection. Thankfully, there are a number of packer-detecting tools available. Here are some of the best tools for identifying malware packers:

In addition to identifying packers used in malware, you will also want to find ways to set up a virtual environment and analyze malware behavior. Here is a useful guide for reverse-engineering malware packers.


Packers are not inherently bad. In fact, they are one of many security solutions that can help protect files, data and applications. However, they are also a great resource for malware developers. They obfuscate file code, making it very difficult to locate and analyze malware on your system. Some packers use common algorithms, while others use custom code to compress and/or encrypt files. 

In any case, the more you know about popular packers used in malware, the more equipped you will be to identify and unpack malware in your own system.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



Matthew Jones
Matthew Jones