Olymp Loader, a newly emerged Malware-as-a-Service (MaaS) offering, has rapidly gained traction across underground forums and Telegram since its debut on June 5, 2025.
Developed by a trio of seasoned Assembly coders under the alias “OLYMPO,” the loader boasts fully Assembly-based modules, advanced evasion techniques, and built-in stealer functionality—features that appeal to low- and mid-tier cybercriminals seeking turnkey attack tools.
Originally marketed as “Olymp Botnet,” the project quickly pivoted into a loader service and, more recently, into a crypter-centric solution.
OLYMPO’s Telegram channel reveals a dynamic roadmap aiming to bundle a stager generator, loader, botnet, file scanner, and crypter into a unified Orophware suite.
This modular approach accelerates feature rollouts and compresses the time from initial release to widespread adoption.
Feature Set and Pricing
As of August 5, 2025, OLYMPO’s pricing tiers include:
- Classic Stub (US$50): Defender-bypass, Defender-remover module, automatic certificate signing, and guaranteed low VirusTotal detections.
- Personal Shellcode Modifications (US$100): Custom shellcode integration within the classic stub.
- Unique Stub (US$200): Personalized shellcode, injection into a unique legitimate binary.
Advertised capabilities span:
- Full Assembly implementation for maximum stealth.
- Support for 32-bit, 64-bit, .NET, Java, and native payloads.
- Binary sizes ranging from 12MB to 70MB depending on injection target.
- Aggressive privilege escalation via UAC-Flood and Windows Defender exclusion mechanisms.
- Deep XOR encryption for core modules and payloads.
- Automatic code signing of stubs and modules using genuine certificates.
- A unique machine-learning evasion formula to thwart heuristic analysis.
OLYMPO bundles three primary stealer modules—browser data, Telegram session data, and cryptocurrency wallet credentials—directly into the loader framework.
Users can also leverage a public API for on-demand custom modules, with logs routed through client-controlled proxy endpoints.
Distribution and Infection Vectors
Recent statistics indicate 46% of post-infection payloads deploy LummaC2, 31% launch WebRAT (SalatStealer), 15% deliver QasarRAT, and 8% involve Raccoon Stealer. A small subset opts for the loader’s native browser-stealer module.
While still nascent, several distribution techniques have been observed:
- GitHub Releases: Binaries masquerading as “NodeJs.exe” under the PurpleOrchid65 repository.
- Second-stage delivery via Amadey: Indicative of Pay-Per-Install (PPI) service usage.
- Legitimate software impersonation: URLs referencing PuTTY, OpenSSL, Zoom, CapCut, SumatraPDF, and PeaZip to lure victims.
- Certificate brand spoofing: Borrowed app icons and certificates to enhance perceived legitimacy.
OLYMPO maintains active threads on HackForums, BHF, DarkForums, Niflheim, and Lolz Guru, often touting FUD (Fully UnDetectable) performance by uploading samples to VirusTotal without fear of detection.
Nearly 100 subscribers populate its main Telegram channel, sharing success stories and requesting features.
A unique marketing twist on the Russian XSS forum involved publishing technical deep-dives on Assembly injection and the Cyber-Kill-Chain, although this account was quickly banned for policy violations.
With its aggressive roadmap and feature-rich payloads, Olymp Loader is poised to lower barriers for novice threat actors and fuel commodity intrusion growth at scale.
Security teams must monitor updates on underground channels and adapt detection strategies—especially around certificate-signed binaries, Defender exclusion tactics, and bespoke shellcode variants—before Olymp’s next modules hit mainstream adoption.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
