A recently discovered .NET-based multi-stage loader has caught the attention of cybersecurity researchers due to its complex architecture and ability to deploy a range of malicious payloads on Windows systems.
Tracked since early 2022 by Threatray, this loader employs a sophisticated three-stage process to deliver commodity stealers, keyloggers, and Remote Access Trojans (RATs) such as AgentTesla, Formbook, Remcos, and 404Keylogger.
The loader’s design, which embeds encrypted payloads across multiple stages, demonstrates a high level of obfuscation, making detection and analysis challenging for traditional security tools.
.png
)
With over 20,000 samples identified over three years through code reuse clustering, this loader represents a persistent and evolving threat in the malware landscape.
Three-Stage Loading Mechanism Unveiled
The loader operates by first executing a .NET executable that contains encrypted data for the subsequent stages, often hidden within bitmap resources in newer variants-a technique also noted by Unit42 from Palo Alto Networks.
The second stage, a .NET DLL, decrypts and loads the third stage into memory using XOR-based decryption, while the final stage deploys the malicious payload.
Threatray’s analysis highlights the stability of the third stage’s code structure, enabling effective tracking via a custom YARA rule designed to detect its presence across malware feeds.
The payloads deployed predominantly include information stealers and RATs, with families like AgentTesla and Remcos appearing frequently between March 2022 and February 2025.
Interestingly, while the loader provides fresh samples and Indicators of Compromise (IOCs), it has limited value in early detection of new malware families, as variants like XWorm and NovaStealer emerged in this loader long after their initial discovery, though VIPKeylogger was identified simultaneously with its appearance in the wild.
Payload Distribution and Tracking Insights
Further deepening the intrigue, researchers noted that the loader’s developers have embedded gaming-inspired function names-such as those referencing Fruit Ninja and Monster Hunter-in the second stage’s deployment routines.
These unique identifiers could serve as additional IOCs for tracking purposes.
The loader’s ability to adapt, evidenced by the shift from hardcoded strings to bitmap resources for payload storage, underscores its maintainers’ efforts to evade static analysis and signature-based detection systems.
This adaptability, combined with the sheer volume of samples observed, points to a well-organized operation behind the loader, though attribution to a specific threat actor or family remains elusive.
The cybersecurity community is encouraged to share insights to better understand the origins and operators of this threat.
Below is a summarized table of key IOCs associated with the loader, detailing payload locations, initial sample hashes, extracted third-stage hashes, and the final payload families deployed.
Indicators of Compromise (IOC)
| Stage 1 Payload Location | Hash Initial Sample | Hash Stage 3 (Extracted) | Final Payload Family |
|---|---|---|---|
| Bitmap Resource | 2a3ef660bc5ddec834f1f6473e07d4a2581dd0139d6f84742a1c2e9b5fd4561b | 873eb1535c73bab017c8e351443519d576761c759884ea95e32d3ed26173fddc | RedLineStealer |
| Bitmap Resource | 609bc44c18519741abb62259b700403e05cc0fd57b972ef68ca6ae8194d27f2a | 052efeadeb1533936df0a1656b6f2f59f47ef10698274356e3231099f87427c4 | AgentTesla |
| Bitmap Resource | 6ced7485ee8e4bb2aa919984473fed8a6c9201b29dbd1930d41126521524483e | 063ca3294442e1194f637e02186e9682f3872c59e6247b8a8c759e9cba936669 | DarkCloudStealer |
| Bitmap Resource | 81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688 | d3987a5d9cb294e7cc7990c9a45b2a080dc99aa7b61fc4c9e437fc4659effda7 | Remcos |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!