A sophisticated new malware loader called QuirkyLoader has emerged as a significant cybersecurity threat, actively distributing well-known infostealers and remote access trojans (RATs) since November 2024.
The malware has demonstrated remarkable versatility in delivering multiple payload families, including Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keylogger, making it a formidable multi-purpose tool for cybercriminals seeking to deploy diverse attack scenarios across different victim environments.
QuirkyLoader initiates its multi-stage infection through carefully crafted spam emails containing malicious archive attachments.
These archives cleverly bundle three critical components: a legitimate executable file, an encrypted malicious payload disguised as a DLL, and a malicious DLL loader module.
The threat actors demonstrate operational sophistication by employing both legitimate email service providers and self-hosted email servers to distribute their campaigns, ensuring infrastructure diversity and resilience against takedown efforts.
.webp "New Loader Malware Dubbed 'QuirkyLoader' Delivering Infostealers and RATs 3")
IBM analysts identified QuirkyLoader’s distinctive attack methodology, which leverages advanced DLL side-loading techniques to execute malicious code while maintaining a veneer of legitimacy.
When victims launch the seemingly benign executable file, it automatically loads the malicious DLL, which subsequently decrypts and injects the final payload into target processes through sophisticated process hollowing techniques, ensuring stealthy execution.
Advanced Evasion Through AOT Compilation
QuirkyLoader’s most notable technical innovation lies in its consistent use of Ahead-of-Time (AOT) compilation for its DLL loader modules.
.webp "New Loader Malware Dubbed 'QuirkyLoader' Delivering Infostealers and RATs 4")
The malware authors write these components in C# .NET but compile them using advanced AOT techniques, which first convert the C# code into Microsoft Intermediate Language (MSIL) before compiling directly into native machine code.
This sophisticated approach bypasses traditional .NET runtime dependencies and makes the resulting binary closely resemble programs written in C or C++, significantly complicating detection efforts and analysis procedures.
The malware employs the uncommon Speck-128 cipher with Counter (CTR) mode for payload decryption, utilizing complex Add-Rotate-XOR (ARX) operations to generate secure keystreams.
QuirkyLoader performs process hollowing on legitimate Windows processes, including AddInProcess32.exe, InstallUtil.exe, and aspnet_wp.exe, ensuring stealthy payload execution while evading process-based detection mechanisms.
Recent campaigns in July 2025 specifically targeted Nusoft Taiwan employees and Mexican individuals.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
