Tag: downloader

23 Attack Reports | 0 Vulnerabilities

Attack reports

Proxyware Malware Being Distributed on YouTube Video Download Site

A malicious campaign is targeting users through fake YouTube video download sites, distributing Proxyware malware. The attack involves a downloader disguised as WinMemoryCleaner, which installs NodeJS and runs malicious JavaScript. This script then installs various Proxyware programs, including Dig…
malware
javascript
youtube
downloader
c&c
digitalpulse
proxyware
task scheduler
nodejs
2025-08-22
honeygain
bandwidth
infatica
Published: August 22, 2025
Downloadable IOCs: 0

Tracking Updates to Raspberry Robin

Raspberry Robin, an advanced malware downloader active since 2021, has undergone significant updates. The malware now employs improved obfuscation methods, including multiple initialization loops and obfuscated stack pointers, making analysis more challenging. It has switched from AES-CTR to ChaCha…
obfuscation
evasion
privilege-escalation
encryption
downloader
CVE-2024-38196
tor
raspberry robin
roshtyak
2025-08-07
usb-spread
Published: August 7, 2025
Linked vulnerabilities : CVE-2024-38196 (CVSS 7.8)
Downloadable IOCs: 121

Raspberry Robin: Latest Updates and Improvements

Raspberry Robin, a malicious downloader active since 2021, has undergone significant updates. It now employs improved obfuscation methods, including multiple initialization loops and flattened control flow, making brute-force decryption less effective. The network encryption algorithm has shifted f…
obfuscation
privilege-escalation
usb
encryption
downloader
CVE-2024-38196
tor
raspberry robin
2025-08-05
roshtyak
Published: August 5, 2025
Linked vulnerabilities : CVE-2024-38196 (CVSS 7.8)
Downloadable IOCs: 121

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

A Malware-as-a-Service operation utilizing Amadey for payload delivery has been identified, with connections to a SmokeLoader phishing campaign targeting Ukrainian entities. The operation exploits fake GitHub accounts to host payloads and tools, bypassing web filtering. Emmenhtal, a multistage down…
obfuscation
phishing
rhadamanthys
ukraine
amadey
asyncrat
redline
smokeloader
downloader
github
lumma
maas
emmenhtal
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 4

Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland

A malicious CHM file targeting Poland was discovered, containing an infection chain that drops and executes a C++ downloader. The CHM file displays a decoy image while executing obfuscated JavaScript to extract and run a DLL. The downloader retrieves a payload from a domain associated with previous…
steganography
downloader
2025-07-14
scheduled-task
Published: July 14, 2025
Downloadable IOCs: 9

Be Careful With Fake Zoom Client Downloads

A deceptive email containing a fake Zoom meeting invitation has been identified. Clicking the 'join' button leads to a website prompting users to install a purported Zoom client update. The downloaded executable, 'Session.ClientSetup.exe', is actually malware that installs an MSI package. This pack…
screenconnect
phishing
downloader
fake update
remote access tool
zoom
2025-06-05
Published: June 5, 2025
Downloadable IOCs: 2

Technical Analysis of TransferLoader

TransferLoader is a newly identified malware loader active since February 2025. It comprises multiple components including a downloader, backdoor, and specialized loader. The malware employs various anti-analysis techniques and code obfuscation to hinder reverse engineering. TransferLoader has been…
backdoor
obfuscation
ransomware
anti-analysis
c2
downloader
morpheus
2025-05-15
ipfs
transferloader
Published: May 15, 2025
Downloadable IOCs: 7

Malicious HWP Document Disguised as Reunification Education Support Application

A deceptive HWP document, masquerading as a reunification education support application, was discovered on March 5. The document, when opened, creates multiple files in the TEMP folder, including a malicious BAT file. This BAT file executes various actions to ensure persistent malware operation, in…
dropper
downloader
hwp
2025-04-17
Published: April 17, 2025
Downloadable IOCs: 3

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…
backdoor
phishing
north korea
infostealer
cryptocurrency
downloader
beavertail
recruitment
invisibleferret
2025-04-03
lightlesscan
tropidoor
Published: April 3, 2025
Downloadable IOCs: 6

TookPS distributed under the guise of UltraViewer, AutoCAD, and Ableton

A malware campaign is distributing the TookPS downloader by impersonating popular software like UltraViewer, AutoCAD, SketchUp, Ableton, and Quicken. The malware establishes an SSH tunnel for remote access and deploys additional payloads like TeviRat and Lapmon backdoors. The attackers gain full sy…
backdoor
remote access
downloader
2025-04-03
tookps
lapmon
ssh tunnel
tevirat
software impersonation
Published: April 3, 2025
Downloadable IOCs: 17

LegionLoader exposed!

LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware …
brazil
downloader
drive-by download
anti-sandbox
msi
multi-stage
legionloader
robotdropper
2025-02-10
satacom
dll injection
curlygate
Published: February 10, 2025
Downloadable IOCs: 108

Phorpiex - Downloader Delivering Ransomware

The report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the automated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code sale in 2021, and direct deployment of LockBit without network expansion. The analy…
phishing
ransomware
lockbit
botnet
phorpiex
downloader
gandcrab
2025-01-29
twizt
Published: January 29, 2025
Downloadable IOCs: 14

Proxyware Being Distributed Through Ad Pages

Security researchers have confirmed the unauthorized installation of proxyware on systems through advertisement pages from freeware software sites. The proxyware, identified as DigitalPulse, allows threat actors to share a portion of the system's Internet bandwidth for financial gain without user c…
powershell
lummac2
javascript
adware
downloader
2025-01-21
digitalpulse
proxyware
autoclicker
Published: January 21, 2025
Downloadable IOCs: 3

A new playground: Malicious campaigns proliferate from VSCode to npm

This intelligence details the emergence of malicious campaigns spreading from VSCode to npm. Researchers observed an increasing amount of malicious activity in VSCode Marketplace, with threat actors using npm packages to inject malicious code into VSCode IDE. The campaign initially targeted the cry…
obfuscation
npm
downloader
crypto
software supply chain
2024-12-19
zoom
malicious extensions
vscode
Published: December 19, 2024
Downloadable IOCs: 2

Attacks by APT-C-60 Group Exploiting Legitimate Services

The APT-C-60 group targeted organizations in Japan and East Asia with a sophisticated attack campaign. The attack begins with a phishing email containing a Google Drive link to download a VHDX file. This file includes an LNK file that executes a downloader, which then retrieves a backdoor called Sp…
phishing
lnk
downloader
com hijacking
bitbucket
2024-11-27
statcounter
east asia
vhdx
spygrace
Published: November 27, 2024
Downloadable IOCs: 0

Hive0147 serving juicy Picanha with a side of Mekotio

IBM X-Force observed Hive0147, a highly active threat group in Latin America, distributing a new Golang-based downloader named Picanha to deploy the Mekotio banking trojan. Picanha is a two-stage malware that uses advanced techniques like direct syscalls and supports multiple download URLs, reliabl…
malware
trojan
banking
downloader
mekotio
2024-10-17
banker.fn
picanha
Published: October 17, 2024
Downloadable IOCs: 20

There's Something About CryptBot: Yet Another Silly Stealer

This report provides an in-depth technical analysis of a new variant of the CryptBot infostealer, dubbed Yet Another Silly Stealer (YASS). It details the delivery chain, involving the MustardSandwich downloader, and dissects the YASS payload's functionalities, including its data gathering, encrypti…
malware
infostealer
cryptbot
stealer
exfiltration
netsupport
downloader
2024-09-11
yass
mustardsandwich
Published: September 11, 2024
Downloadable IOCs: 13

Zharkbot Strings

Zharkbot is a C++ downloader with extensive anti-analysis and anti-sandbox features. It uses in-line string encryption and API calls, making static and emulation analysis challenging. The malware performs sandbox detection by checking for specific usernames and hypervisors. It installs itself in th…
persistence
anti-analysis
amadey
downloader
2024-09-03
anti-sandbox
string encryption
c2 communication
zharkbot
Published: September 3, 2024
Downloadable IOCs: 2

Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establ…
obfuscation
rat
autoit
downloader
2024-08-23
lilith
konni
lilith rat
Published: August 23, 2024
Downloadable IOCs: 33

Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persist…
malware
phishing
stealer
latrodectus
downloader
cybersecurity
acr stealer
2024-08-20
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21412, CVE-2024-21893
Downloadable IOCs: 15

Fake update puts visitors at risk

This intelligence report discusses SocGholish, a JavaScript downloader used by threat actors to deliver malware payloads disguised as fake browser updates. It analyzes the recent tactics, techniques, and procedures employed by threat groups like Evil Corp in compromising WordPress websites, fingerp…
malware
cobalt strike
zloader
lumma stealer
socgholish
wordpress
downloader
redline stealer
2024-07-24
netsupport rat
egregor
ryuk
fake update
badspace
Published: July 24, 2024
Downloadable IOCs: 10

SmokeLoader Evolution Through The Years

This report provides an in-depth analysis of the evolution of SmokeLoader, a prominent malware downloader that has been active since 2011. It examines the significant changes and improvements introduced in SmokeLoader versions from 2015 to 2022, including updates to its communication protocol, encr…
smokeloader
downloader
2024-07-03
Published: July 3, 2024
Downloadable IOCs: 11

DBatLoader Distributed via CMD Files

A cybersecurity analysis has identified a malicious operation involving the distribution of a downloader, dubbed DBatLoader or ModiLoader, through CMD files disguised as innocuous files. The campaign leverages phishing emails containing compressed CMD files that, when executed on English-language W…
stealthy
obfuscation
phishing
2024-06-27
downloader
dbatloader
modiloader
Published: June 27, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports