Malware Loader Strategies

Analyzing the leaked code from the Vanhelsing Ransomware, it is essentially a highly modular and automated builder, developed in C++, designed to dynamically generate executable binaries (.exe) based on instructions received from a C2 server. The core logic includes a persistent loop (wmain) that continuously polls for new tasks via REST HTTP requests to an attacker-controlled endpoint. When a task is received, the system automatically compiles two binaries: the locker, responsible for encrypting the victim's files, and the decrypter, which allows for data recovery if the correct key is provided. The main payload is encrypted using AES-256-GCM (via libsodium), with a key derived from an X25519 key pair. The compiled locker binary is read, encrypted, converted into a binary header, and embedded into the loader, which is the final stage responsible for decrypting and executing the locker at runtime. The modular architecture allows the same locker to be reused with multiple loaders. File operations are handled directly through low-level Win32 API calls (CreateFileA, ReadFile, MoveFileA, DeleteFileA), with no dependency on external libraries. PowerShell’s Compress-Archive is also used to efficiently package and transmit artifacts via HTTP. There is a clear separation of responsibilities in the build pipeline: reading, encryption, macro substitution, architecture-specific compilation (Win32/x64), binary renaming, and upload to the C2 are all handled in well-defined stages, with error handling and diagnostics performed via GetLastError(). Summary of Evasion Techniques: - Encryption of artifacts using X25519 + AES-256-GCM - Use of fileless-like execution via loader with embedded payload - Per-build uniqueness through dynamic key and ID insertion - Compilation via MSBuild (LOLBin abuse) #redteam #cybersecurity #malware #malwaredevelopment #malwareanalysis

THREAT CAMPAIGN: DEERSTEALER INFECTION CHAIN VIA CLICKFIX ℹ️ A new malware campaign analysis reveals how attackers are bypassing security controls using social engineering and stealthy loader techniques to deliver DeerStealer, a powerful infostealer that targets credentials, crypto wallets, and personal data. 📍 INFECTION CHAIN ■ It begins with social engineering tactics that lure victims into manually executing PowerShell commands via the Windows Run dialog (“Win + R”), allowing the attackers to bypass many traditional endpoint security controls. This user-triggered action initiates the download of a malicious MSI installer using msiexec.exe, which deploys a loader known as HijackLoader. ■ HijackLoader, active since 2023, is a modular tool that uses advanced evasion techniques such as steganography (hiding configuration data in PNG images) and module stomping (injecting code into renamed legitimate executables like Q-Dir or COMODO binaries). ■ The final payload, DeerStealer, is a MaaS (Malware-as-a-Service) offered on underground forums by the actor “LuciferXfiles” and comes with an extensive range of capabilities. It targets sensitive data from web browsers, messaging apps, VPNs, and cryptocurrency wallets, featuring capabilities such as clipboard hijacking, stealth VNC access, and the exfiltration of credentials, autofill data, and credit card information. ■ DeerStealer is especially dangerous due to its modular design and crypto-focused tools, supporting over 800 browser extensions and external wallet types. The malware communicates with its command-and-control infrastructure using proxy domains and encrypted HTTP, further complicating detection. ■ Researchers highlight that this campaign exemplifies the growing trend of human-centric evasion, the use of LOLBins, and advanced stealth techniques. 🛡️🔒 Defenders are urged to implement preventive measures such as disabling scripting tools and the Run dialog via GPO, enhancing phishing defenses, monitoring endpoint behavior, and leveraging EDR solutions capable of detecting advanced loader activity and unusual network traffic. Reference: 🔗 https://lnkd.in/d9nywa8F #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

GootLoader is back. This week, researchers discovered their newest trick: a way to make security tools completely blind. Your antivirus scans the ZIP file. Nothing found. WinRAR tries to open it. Fails. 7-Zip tries. Also fails. Corrupted file, right? But when you double-click it, Windows opens it just fine. And now you're infected. 🧐 The trick is simple but brilliant. They take 500 to 1000 ZIP files and glue them together into one massive file. Most analysis tools read ZIP files from the beginning. They hit the first archive, see garbage, and crash. But ZIP files are actually read from the END. Windows knows this. It skips all the junk, finds the last valid archive, and happily extracts the malware. They deliberately break specific bytes in the file structure: → The End of Central Directory is missing two critical bytes → The "Disk Number" fields are randomized → The CRC32 checksum is wrong on purpose Open the ZIP with 7-Zip and it extracts a harmless .TXT file. Open the exact same ZIP with Windows Explorer and it extracts a malicious .JS file. Same archive, different tools, completely different results. Every single download is unique. The browser BUILDS the ZIP file itself by decoding an XOR-encrypted blob hundreds of times. No two victims ever receive the same file. Hash-based detection is useless. The infection chain moves fast. → You search for "contract template" on Google → A compromised WordPress site appears in the top results → You click download, the ZIP opens fine in Windows → Inside is a JavaScript file that looks like a legal document → You double-click it Game over. Within 20 minutes, the attackers deploy the Supper backdoor. They start reconnaissance immediately. Kerberoasting. SPN scanning. Looking for paths to the Domain Controller. Within 17 hours, they own it. Sometimes just one hour. In previous years, GootLoader made up 11 percent of all malware that bypassed security tools. One in ten. Who are they targeting? → Law firms searching for legal templates → Healthcare organizations → Finance, Education, Manufacturing How to protect yourself: Change your Group Policy so JavaScript files open in Notepad instead of executing. This one change stops the entire attack chain. Security tools see a corrupted file. Windows sees an opportunity to help. And that gap is exactly where GootLoader lives. I cover attack chains like this, from initial access through privilege escalation to maintaining persistence, in my ethical hacking course: → https://lnkd.in/eDf8hQdg Hacking is not a hobby but a way of life. 🎯 Full article: https://lnkd.in/eftUK7gj #EthicalHacking #GootLoader #Malware #Ransomware #CyberSecurity #InfoSec #ThreatIntelligence #WindowsSecurity

🧬 DLL Side-Loading: Still One of the Quietest Ways In It’s old, simple, and incredibly effective, DLL side-loading remains a favorite technique for malware operators and APTs. Why? Because it hijacks legitimate, signed binaries to execute malicious payloads, often without raising alarms. 🧠 What Is DLL Side-Loading? Many trusted applications look for DLLs using relative paths. If a threat actor drops: • A known, signed EXE, and a • A malicious DLL with the same name as one it expects, into the same folder… …then runs the EXE, the app loads the attacker’s DLL, effectively executing malicious code under the guise of a trusted vendor binary. 💡 It still works because: ✅ The EXE is signed and trusted ✅ Application controls often allow it ✅ EDR may not flag the DLL load path ✅ It bypasses user suspicion and signature-based detections ✅ It hides in plain sight, blending into “normal” software behavior 🛑 Real-World Example: Rhadamanthys Infostealer A recent campaign (post-Lumma takedown) used DLL side-loading to deploy Rhadamanthys, a credential and data stealer. Attackers used legitimate software packages, paired with a malicious version.dll. When launched, the trusted binary loaded the DLL from the same directory, executing Rhadamanthys silently. 📰 Read the full write-up by Forescout: https://lnkd.in/dapXwwV4 🔍 How to Detect It: • Monitor signed EXEs in non-standard locations (Downloads, AppData, Desktop) • Alert on DLLs loaded from the same directory as the EXE • Investigate EXE + DLL pairs dropped close in time • Use Sysmon (Event ID 7) or ETW tracing to detect suspicious DLL loads • Hunt for known vendor binaries in user-controlled paths 🔐 How to Defend: • Block DLL loads from user-writable paths • Use AppLocker or WDAC to control which binaries can load unsigned DLLs • Alert on unexpected parent-child relationships involving signed vendor apps • Maintain good asset and software inventory to flag outdated or abused binaries DLL side-loading isn’t flashy, but it’s quiet, flexible, and still effective in 2025. Rhadamanthys proves it’s far from dead. #DFIR #MalwareAnalysis #Rhadamanthys #DLLSideLoading #DigitalForensics #ThreatDetection #IncidentResponse #ApplicationControl #SecurityOperations #RedTeam #BlueTeam #Forescout #ClickFix

If you see a process loading ntdll twice, you are almost certainly dealing with malware. One of the most common evasion tricks used by malware authors (and by red team tooling) is "unhooking". A typical approach is loading a fresh copy of the target DLL, often ntdll\.dll, from disk and then using that clean copy to execute Windows API/syscall paths without hitting user-mode EDR hooks. The idea is simple. If the EDR placed hooks in the in-memory ntdll.dll, a clean copy can bypass those trampolines and avoid the hooked code paths. The catch is that this technique is so well known that many EDRs detect it anyway. And even without an EDR, the behavior itself is suspicious. In legitimate software it is extremely unusual to have two ntdll\.dll modules mapped into the same process. It practically never happens in normal application workflows. The real problem is visibility. Many organizations without an EDR also don’t have Sysmon or a SIEM pipeline, so detections based on this behavior are rare outside of malware analysis or incident response work. If you do have Sysmon, there is a straightforward angle. Sysmon Event ID 7 can reveal module load activity, including a second ntdll\.dll being mapped. The tradeoff is volume. Event ID 7 is often disabled because it can get noisy fast. The practical approach is selective logging. Enable ImageLoad with tight filtering, focused on high-signal modules like ntdll\.dll and suspicious source locations, instead of collecting everything. #ThreatIntel #ThreatHunting #MalwareAnalysis #DFIR #IncidentResponse #CyberSecurity

During recent memory forensics research I've been doing on evading memory scanners, I was researching how to bypass Volatility's 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 plugin, and I developed a reflective PE loader for that. 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 searches for memory regions where the VAD (Virtual Address Descriptor) shows both 𝗪𝗥𝗜𝗧𝗘 and 𝗘𝗫𝗘𝗖𝗨𝗧𝗘 permissions, since legitimate applications rarely allocate 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 memory. This makes 𝗪+𝗫 a strong indicator of shellcode injection. But since VADs store the initial allocation protection set by 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗔𝗹𝗹𝗼𝗰, when 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 changes page permissions, only the underlying page table entries (PTEs) permissions are modified, while the VAD's 𝗔𝗹𝗹𝗼𝗰𝗮𝘁𝗶𝗼𝗻𝗣𝗿𝗼𝘁𝗲𝗰𝘁 field remains as originally set. To demonstrate this, I wrote a reflective loader that: 1. Allocates memory with 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (VAD records: RW) 2. Writes the PE image, resolves imports, applies relocations 3. Calls 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 to set 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗 on the .𝘁𝗲𝘅𝘁 section The VAD still shows 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (no execute), so 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 doesn't flag it. The code executes normally because the CPU uses the actual page permissions from the PTEs, not the VAD. This shows that in an investigation, relying on a single tool can lead to missed evidence and wrong conclusions. To detect this technique, dump private VAD regions (e.g., using Volatility's 𝘃𝗮𝗱𝗶𝗻𝗳𝗼 plugin with --𝗱𝘂𝗺𝗽) and scan for PE headers (𝗠𝗭/𝟬𝘅𝟰𝗗𝟱𝗔), which reveals injected code that 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 misses. However, this approach requires filtering out legitimate PEs (e.g., Windows system DLLs), and this might take some time. In a follow-up post, I'll share a detection method I developed that reliably identifies reflectively loaded PEs regardless of VAD permissions. 𝗚𝗶𝘁𝗛𝘂𝗯: https://lnkd.in/dUFiGp8z #DFIR #IncidentResponse #MalwareAnalysis #CyberSecurity #MemoryForensics #Volatility

Our team at Silent Push have released a monster research piece today about a new malware strain we’re calling CountLoader which is apparently being used by an Initial Access Broker or ransomware affiliate who has connections to several of the most serious Russian ransomware gangs including LockBit, BlackBasta, and Qilin. The new malware has 3 unique versions coded in .NET, PowerShell, and JScript. This type of effort is typically only seen with threat actors who are building something long-term, aka, this could be a strain of malware seen in future Russian attacks against potentially a wide range of organizations who are part of their typical targeting. CountLoader was recently used in a PDF-based phishing lure targeting individuals in Ukraine, in a campaign that impersonated the Ukrainian police.   This malware was first written about by Kaspersky, who discovered a portion of the operation in 2025. However, they were only able to identify the PowerShell version, which at the time utilized a “DeepSeek” AI phishing lure to trick users into downloading and executing it. Our team identified indications of several additional unique campaigns utilizing various other lures and targeting methods, including a .NET version of CountLoader, which was named twitter1[.]exe. Our analysis has observed CountLoader dropping several malware agents, like CobaltStrike and AdaptixC2. Technical evidence obtained from within these samples allowed our team to make the connection between the agents dropped by CountLoader and the malware agents observed in several ransomware attacks. Based on this observation, we assess with medium-high confidence that CountLoader is being used either as part of the toolset of an IAB or by a ransomware affiliate with ties to the LockBit, BlackBasta, and Qilin ransomware groups. We also discovered that the loader’s primary code loop attempts a connection to many different C2s, retrying up to a million times. This iterative counting feature is primarily why we’ve called the threat CountLoader. For defenders trying to track this threat, we’ve provided a wide range of details and how to track the different versions of the malware.   Based on the diversity of the lures currently seen (Ukraine police phishing lure, a fake DeepSeek AI app, an executable referencing Twitter) it seems incredibly likely that there are other malicious versions or will be sometime soon. And with the connections to three of the most serious Russian ransomware gangs, the impacts from ignoring this threat could be substantial. Research link and some news coverage in the comments!  

🚨Analysis of APT Campaign against Telecom Industries with Infrastructure in Operation🚨 Hello everyone, in this new post, I will analyze in depth a campaign identified by Seqrite, from an APT threat actor, China-Nexus, that targeted China Mobile Tietong with custom malware to load it via benign software (DLL Sideloading a Wondershare software), the largest telecommunications subsidiary in China. This campaign is an example of the use of offensive cybersecurity operations to serve state purposes. In this research, you will see: 👾 Reverse Engineering of the VELETRIX Loader; 🔐 Decryption and Reverse Engineering of its Shellcode; 📥Analysis and Implementation of the 2nd Stage Download, Decryption and Execution Routine, and its extraction for future analysis; 🦈Network Traffic Analysis. 🐍Development of an Automatic Extractor in Python for the 2nd Stage 🛡️Hunt for other Samples containing the same pattern identified in the Reverse Engineering performed previously; 👾Identifying Code and Infrastructure Similarities between Samples I hope you enjoy the post and that it is as fun to read as it was to write. The link to the survey is below, and the links to the Yara scripts and rules are within the survey. See you next time. 🛡️Research Link-> https://lnkd.in/dtn28uSi #malware #veletrix #shellcode #telecom #threat #china #chinanexus #reverseengineering #threatintelligence #intell #soc #hunting #dfir #cybernetics #security #apt

X-Force Threat Intelligence has identified a new loader malware that we have dubbed QuirkyLoader. https://lnkd.in/e2xyZpKY Some key attributes: - Loader malware - Delivery via spam email archive attachments - Leverages DLL side-loading - Compiled using Ahead-Of-Time (AOT) compilation - Actively distributing well-known malware families like Agent Tesla, AsyncRAT and Remcos - Impacted countries observed to date: Taiwan and Mexico TL;dr: QuirkyLoader is a new loader malware that is actively distributing well-known malware families like Agent Tesla, AsyncRAT and Remcos. The threat actor initiates a multi-stage infection using malicious emails containing an archive file. By leveraging DLL side-loading, the malware executes its core DLL module, which is consistently written in .NET and compiled ahead-of-time to disguise its nature. This module then decrypts and injects the final payload, demonstrating a sophisticated method for delivering various malware threats. #xforce #xfti #threatintelligence #ibmsecurity #ConsultingatIBM

Zscaler ThreatLabz shows that Matanbuchus 3.0 — a revamped, subscription-based loader — is being distributed via fake Microsoft Teams calls (impersonating IT support) and then deploying side-loaded malware that runs entirely in memory, evades EDR, and delivers payloads like ransomware or remote-access tools. Blog: https://lnkd.in/ev3tJhbY #Zscaler #Matanbuchus #Malware #MaaS #Loader #CyberThreats #CTI #MicrosoftTeams #Ransomware #LoaderEvasion