Likely active since 2015, DarkTortilla was designed to keep malicious payloads hidden from detection software, and was previously seen delivering remote access trojans (RATs) and information stealers – AgentTesla, AsyncRat, NanoCore, and RedLine – as well as targeted payloads such as Cobalt Strike and Metasploit.

Highly configurable and complex, the crypter can also be used for the delivery of addons – additional payloads, decoy documents, and executables – and appears to be very popular among threat actors, with an average of 93 samples submitted to VirusTotal each week between January 2021 and May 2022.