The cybersecurity community is currently observing a surge in interest around Olymp Loader, a recently unveiled Malware-as-a-Service (MaaS) platform written entirely in Assembly.
First advertised on underground forums and Telegram channels in early June 2025, Olymp Loader has rapidly evolved from a rudimentary botnet concept into a sophisticated loader and crypter suite.
Its author, operating under the alias OLYMPO, touts the service as Fully UnDetectable (FUD), claiming that its advanced design can bypass modern antivirus engines and evade machine-learning–based heuristics.
Early adopters praise its modular architecture, which integrates credential stealers, crypters, and privilege escalation mechanisms.
Research indicates that the threat actor behind OLYMPO is a small team with extensive Assembly programming expertise.
As reported on HackForums and other underground venues, they have implemented features such as deep XOR encryption for payload modules, UAC‐Flood privilege escalation, and automatic Windows Defender exclusions.
On August 5, 2025, OLYMPO announced pricing tiers ranging from a basic stub at USD 50 to a fully customized injection service at USD 200, with all packages including a “Defender-way” bypass, Defender-removal module, and automatic certificate signing to lend samples a veneer of legitimacy.
.webp)
Outpost24 analysts identified multiple instances of Olymp Loader in the wild, often masquerading as legitimate software.
For example, binaries named NodeJs[.]exe were distributed via GitHub Releases under the repository PurpleOrchid65Testing, exploiting developer trust in Node.js executables.
In other cases, the loader was delivered as fake installers for OpenSSL, Zoom, PuTTY, and CapCut, even borrowing official icons and certificates from known applications to trick victims.
Infection Mechanism and Persistence
Upon execution, Olymp Loader initiates a multi‐stage process to establish persistence and disable defenses.
Initial samples observed in June employed a simple batch script: copying the executable to the user’s AppData directory and spawning a cmd[.]exe process to run a timeout command, followed by re‐execution from the new location.
.webp)
A PowerShell script was then launched to create an entry in the StartUp folder, ensuring the loader runs on each system boot.
By early August, this workflow was augmented with a Defender Remover module, publicly available on GitHub, which executes PowerRun[.]exe and a RemoveSecHealthApp[.]ps1 script to terminate Defender services before adding exhaustive exclusion paths (APPDATA, LOCALAPPDATA, Desktop, StartMenu, and more) via Add-MpPreference.
The loader’s shellcode component leverages the LoadPE method for code‐cave–based injection into legitimate processes, supporting 32‐bit, 64‐bit, .NET, and Java payloads.
Unique shellcode initialization routines further obfuscate the loader’s purpose, while a custom certificate signing feature signs both the stub and modules, complicating detection by reputation‐based systems.
This combination of script‐based persistence, injection techniques, and automatic certificate signing marks a significant advancement in MaaS offerings, lowering the entry barrier for mid‐level cybercriminals and amplifying attack volumes across enterprises and developers alike.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
