A new Malware-as-a-Service (MaaS) threat named “Olymp Loader” appeared in June 2025, aggressively advertised on underground hacker forums like XSS and HackForums.
Advertised by an operator known as “OLYMPO,” this malware is marketed as a sophisticated tool written entirely in Assembly language.
This marketing strategy aims to attract cybercriminals by claiming high performance and resistance to reverse engineering.
The tool functions as a versatile suite, acting as a loader, crypter, and stealer, which significantly lowers the barrier to entry for attackers looking to deploy evasion techniques and complex infection routines.
The malware has quickly gained a reputation for its “Fully UnDetectable” (FUD) status, boasting extremely low detection rates on VirusTotal.
It spreads through social engineering campaigns, often disguised as legitimate software downloads such as PuTTY, Zoom, or Node.js executables hosted on GitHub.
These deceptive vectors trick users into running the malicious code, initiating the infection chain on the victim’s machine.
The use of reputable platforms like GitHub for hosting malicious assets further complicates detection, as network traffic to these sites often appears legitimate to security appliances.
Picus Security’s security analysts identified that Olymp Loader frequently delivers dangerous payloads like LummaC2 and Raccoon Stealer.
They noted the malware’s rapid evolution, specifically its strategic pivot in early August from a botnet architecture to a streamlined dropper model.
This shift demonstrates the developer’s ability to adapt quickly to technical challenges and market demands from the cybercriminal community.
Anti-analysis and Detection Evasion
Following a major restructuring on August 3, 2025, Olymp Loader introduced advanced anti-analysis mechanisms to ensure successful infection.
The malware now embeds encrypted payloads directly into the stub, executing them only after neutralizing local defenses.
A primary component of this evasion strategy is the forcible disabling of Windows Defender. The loader executes specific PowerShell commands to blind real-time monitoring and exclude paths from scanning.
For example, it utilizes the following PowerShell command to achieve this:-
powershell -NoProfile -Command "Set-MpPreference -DisableRealtimeMonitoring $true"Subsequently, the malware drops executables into the Temp directory and leverages the “Defender Remover” tool.
This process involves using PowerRun.exe to apply registry modifications via files like RemoveDefender.reg and deleting critical system files such as SecurityHealthSystray.exe.
It also targets the WinSxS folder to delete file maps associated with Defender. This aggressive defense nullification ensures that payloads run unhindered by endpoint protection solutions installed on the host.
Tactics continued to shift days later; analysts observed samples from August 10 replacing explicit disabling commands with extensive directory exclusion lists, covering locations like %APPDATA% and %DESKTOP%.
This constant evolution highlights Olymp Loader’s capability to bypass standard security controls effectively and stealthily.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
