Tag: loader

BabbleLoader is a highly evasive malware loader designed to bypass antivirus and sandbox environments to deliver stealers into memory. It employs sophisticated techniques such as junk code insertion, metamorphic transformations, dynamic API resolution, and anti-sandboxing measures. The loader's fea…

FakeBat, a loader previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site…

Security researchers have detected new attacks involving the Bumblebee malware loader, just four months after Europol disrupted its operations in Operation Endgame. The malware has resurfaced with updated tactics, using MSI files disguised as legitimate software installers to deliver its payload di…

A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike bea…

A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.

BI.ZONE Threat Intelligence continues monitoring a threat actor called Core Werewolf, which has targeted Russia's defense industry and critical infrastructure since 2021. In its recent campaigns, the adversary employed a new loader written in AutoIt and started delivering malicious files via Telegr…

Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives con…

Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloade…

This report delves into the technical aspects of the NOOPDOOR and NOOPLDR malwares employed by the APT10 threat actor in the Cuckoo Spear campaign. The analysis reveals how these tools operate and the potential risks they pose, helping cybersecurity professionals better understand and defend agains…

Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…

This report analyzes the D3F@ck Loader, a malware-as-a-service (MaaS) offering orchestrated by an individual going by the alias Sergei Panteleevich. The loader utilizes various evasion techniques, including the use of Extended Validation certificates, Inno Setup installers with custom Pascal script…

In July 2024, eSentire's Threat Response Unit observed a phishing attack leading to a 0bj3ctivity Stealer malware infection. The attack involved a malicious JavaScript file that retrieved and executed Ande Loader and the 0bj3ctivity Stealer. Ande Loader created persistence, downloaded additional pa…

Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…

This blog post provides an in-depth technical analysis of a newly discovered malware loader called DodgeBox, which is attributed to the China-based advanced persistent threat (APT) actor APT41. DodgeBox incorporates various evasion techniques such as call stack spoofing, DLL sideloading, DLL hollow…

During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social …

The report analyzes a campaign where threat actors distribute various malware strains like RATs, coinminers, and loaders disguised as cracked versions of popular software. South Korean systems are heavily targeted, with malware persisting via scheduled tasks and evading security products. Detailed …

In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge…

LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…

This report details the analysis of a malspam campaign utilizing the Matanbuchus loader, which involved decrypting strings within the malware through emulation techniques. The investigation pivoted to uncover a Russian bulletproof hosting service, Proton66 OOO, that currently hosts various maliciou…