A sophisticated .NET-based multi-stage loader, active since at least early 2022, is rapidly advancing malware distribution on Windows systems worldwide.
Security researchers have tracked its evolution, revealing an intricate delivery mechanism that efficiently deploys commodity stealers, remote access trojans (RATs), and keyloggers-threats such as AgentTesla, Formbook, Remcos, and 404Keylogger-by leveraging a resilient modular loader structure.
The loader executes a three-stage process designed to maximize evasiveness and allow flexible payload deployment.
The first stage is a .NET executable, which harbors the subsequent loader stages within itself in an encrypted format.
While prior versions stored the second stage as hardcoded data, contemporary versions have adopted subtle embedding within bitmap resources-complicating static analysis.
This stage decrypts the embedded data and executes it in memory, triggering the second stage.
The second stage, implemented as a .NET DLL, is parameterized for flexibility, using three arguments to decrypt and extract resources.
Typically, one parameter references the resource name (encoded as an integer and mapped to a string), another supplies the XOR decryption key, and the third identifies the module name.
The decrypted payload-retrieved from a bitmap resource and XOR-ed in memory-becomes the third stage, again loaded and run directly from memory without touching disk, thus evading conventional detection tools.
The third stage serves as the deployment engine for the final, malicious payload.
Researchers identified a recurring code pattern responsible for in-memory execution of these payloads.
By clustering and analyzing over 20,000 samples, experts pinpointed specific .NET assembly loading and invocation functions-allowing for robust code reuse tracking and the development of YARA signatures for this loader’s third stage.
Stealers, RATs, Keyloggers Targeting Enterprises
Payload telemetry across the tracked period reveals that this loader is heavily used to distribute a variety of information stealers, keyloggers, and RATs.
Notably, the loader is not frequently the first to distribute new malware families such as XWorm and NovaStealer; rather, its utility lies in providing a steady supply of fresh samples and valuable indicators of compromise (IOCs) for ongoing threats.
In rare cases, as with VIPKeylogger, the loader served as an early vector for new malware.
A unique characteristic of this loader is the creative naming of its second-stage functions-references to popular video games such as “Fruit Ninja” and “Monster Hunter” serve as additional IOCs, hinting at either the developers’ inspiration or an attempt to hinder automated analysis.
Given the loader’s stage-by-stage decryption approach and memory-centric payload execution, endpoint detection solutions face significant challenges.
The loader’s ability to constantly update its initial two stages, while maintaining high similarity in the third, further complicates efforts at attribution or static signature detection.
Security researchers have published comprehensive YARA rules and function-level code signatures to assist the defense community in identifying and mitigating this loader.
Organizations are urged to maintain up-to-date threat intelligence feeds and incorporate behavioral detection models to counteract such modular threats.
Indicators of Compromise (IOC)
| Stage 1 Payload Location | Hash Stage 1 (Initial Sample) | Hash Stage 3 (Extracted from Memory) | Final Payload Family |
|---|---|---|---|
| Bitmap Resource | 2a3ef660bc5ddec834f1f6473e07d4a2581dd0139d6f84742a1c2e9b5fd4561b | 873eb1535c73bab017c8e351443519d576761c759884ea95e32d3ed26173fddc | RedLineStealer |
| Bitmap Resource | 609bc44c18519741abb62259b700403e05cc0fd57b972ef68ca6ae8194d27f2a | 052efeadeb1533936df0a1656b6f2f59f47ef10698274356e3231099f87427c4 | AgentTesla |
| Bitmap Resource | 6ced7485ee8e4bb2aa919984473fed8a6c9201b29dbd1930d41126521524483e | 063ca3294442e1194f637e02186e9682f3872c59e6247b8a8c759e9cba936669 | DarkCloudStealer |
| Bitmap Resource | 81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688 | d3987a5d9cb294e7cc7990c9a45b2a080dc99aa7b61fc4c9e437fc4659effda7 | Remcos |
| Hardcoded Data | d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0 | 7532336b3fb752a7fa95aa1da5ddc527600d0cbba1aa2d77b46052439a32e619 | Remcos |
| Bitmap Resource | 51c95e12d8dcab7607fd6d5a2bbd4d524ebf7797e6857d6ec25f257c67d9b465 | 685478424a00d7690aad5768bf08e9a61f335dae5706eebf23e612b6d2cacdf8 | Remcos |
| Bitmap Resource | 26a36920e7a463398a4251828ec02fd965ad1d782f819b0c04904706efb083be | f6ae4366b5e0ae5e46c9c1ec6045cdfec80fed0e3292f3275a74f81800109d42 | Remcos |
| Bitmap Resource | 8b25b0ed0e18bb24684d10bb3afccf6e6290c95e89a79733914117e2c7b46b09 | 67834ed25fdfb709729e96fe948b4ada4a306e7aabb74f0e88e026fcf8b5a7af | VIPKeylogger |
| Bitmap Resource | 98a11f5e0943f5a8e0475b4c7d87b5f67a1d39f7c44e564d86df4ebd687686f8 | 55dcc1f79972364f36ff76259502e5736c803fed67be7e586f51805a2471d7a8 | Formbook |
| Bitmap Resource | 342a6c5178eacedd99cd66da3bd81e767d0aa311441ad2089b087def3f5cb088 | 8ff3c42d9d0af296c0b6406bc8ac4253c938396c2fc5a33c7b8c8f47212eee8d | VIPKeylogger |
| Hardcoded Data | 5631b2c6aa5495d9756f92501442b809e0f004d9fe2c1d423ef8906ca912c69b | d6e90b0ada45774227c6e3b6b1d14303188312b1e7dbf0b2a09f909fdf41dac9 | 404Keylogger |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
