A packer dubbed Loncom (Trojan-Dropper.NSIS.Loncom) which incorporates NSIS and Microsoft Crypto API (both legitimate software packages) disguise of an update for an expired security certificate to pack and encrypt APT ready malware. Once the shellcode is extracted on a victim’s system, it begins decrypting the payload from the archive and executes it. To do this, information from the NSIS script is used to decrypt the payload. Malware discovered packed by Loncom included Mokes, Buerak, DarkVNC (also known as REvil, a VNC backdoor), and Sodin (also known as Sodinokibi, ransomware).