"Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that's being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024. Some of the notable malware families distributed using QuirkyLoader include Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server."
""The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL," security researcher Raymond Joseph Alfonso said. "This DLL, in turn, loads, decrypts, and injects the final payload into its target process." This is achieved by using process hollowing to inject the malware into one of the three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. The DLL loader, per IBM, has been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico."
QuirkyLoader is a .NET-based DLL loader delivered via email spam campaigns since November 2024 to deploy information stealers and remote access trojans. The delivery uses malicious archives containing a DLL, an encrypted payload, and a legitimate executable to enable DLL side-loading. The malicious DLL decrypts and injects final payloads by process hollowing into AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. Distributed families include Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. Observed campaigns in July 2025 targeted Taiwan and Mexico. The loader is consistently written in .NET with ahead-of-time compilation.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]