New TinyLoader Malware Attacking Windows Users Via Network Shares and Fake Shortcuts Files

A stealthy new malware loader dubbed TinyLoader has begun proliferating across Windows environments, exploiting network shares and deceptive shortcut files to compromise systems worldwide.

First detected in late August 2025, TinyLoader installs multiple secondary payloads—most notably RedLine Stealer and DCRat—transforming infected machines into fully weaponized platforms for credential theft, remote access, and cryptocurrency hijacking.

Analysts have observed rapid escalation in the loader’s deployment, with infections traced to corporate file shares, removable media, and social engineering tactics that entice unsuspecting users to execute malicious binaries.

While malware loaders are not a novel threat, TinyLoader distinguishes itself through a combination of aggressive lateral movement and sophisticated persistence mechanisms.

Initial access is frequently achieved via network shares: the loader scans for open SMB resources, replicates itself as an innocuous “Update.exe” file, and updates directory timestamps to avoid detection.

Once executed, it immediately reaches out to predefined command-and-control (C2) servers to download additional modules.

Hunt.io researchers identified early C2 infrastructure hosted at IP addresses 176.46.152.47 and 176.46.152.46 in Riga, Latvia, with further nodes in the UK and Netherlands, all operated under a single hosting provider to streamline deployment.

Hunt.io analysts noted that TinyLoader’s interface mirrors modern malware-as-a-service panels, offering threat actors an intuitive web portal for campaign management.

Examination of the loader’s payload retrieval sequence revealed six hard-coded URLs pointing to malicious binaries—bot.exe and zx.exe among them—which are saved to the Windows temporary directory and executed without user interaction.

This modular approach allows attackers to rotate payloads and pivot to new tools such as cryptocurrency clipper modules or remote access trojans with minimal redevelopment effort.

Following the outbreak of infections, security teams scrambled to uncover detection signatures.

TinyLoader’s login panel carries a consistent HTML title tag:-

This string became a critical indicator for web crawler searches, enabling defenders to enumerate additional C2 panels and preemptively block them.

The Hunt.io scan results for suspicious IP address 176.46.152.47 illustrates the initial discovery that triggered further infrastructure mapping.

Infection Mechanism: Network Share Propagation and Fake Shortcuts

TinyLoader’s primary infection vector leverages both network file sharing and social engineering via fake Windows shortcuts.

Upon gaining administrative privileges, the loader injects itself into the Windows registry to hijack .txt file associations:-

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOTtxtfileshellopencommand]
@=""%SystemRoot%\System32\cmd[.]exe" /c start "" "C:\Windows\System32\Update.exe" "%1""

This modification ensures that any attempt to open a text file silently launches TinyLoader first, before displaying the legitimate document.

Concurrently, the malware scans writable network shares, copying both “Update.exe” and malicious shortcut files named “Documents Backup.lnk.”

When these shortcuts are double-clicked, they execute TinyLoader while masquerading as a user-friendly backup utility.

While the above mentioned fake desktop shortcut used for social engineering, exemplifies this tactic.

The loader also targets removable media: every USB insertion triggers replication of TinyLoader under enticing names like “Photo.jpg.exe.”

An accompanying autorun.inf file guarantees execution on the next host, perpetuating the infection cycle.

Together, these techniques create a resilient propagation mechanism that spans both local and enterprise networks, making TinyLoader exceptionally difficult to eradicate once established.

Defenders are urged to monitor registry changes affecting file associations, deploy policies restricting executable creation on network shares, and inspect shortcut files for unusual targets.

By combining signature-based detection of the “Login – TinyLoader” panel with behavioral monitoring of autorun activity, security teams can mitigate the rapid spread of this emerging threat.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.