QuirkyLoader email-spam loader activity
Malware Activity
Summary
Hide ▲
Show ▼
QuirkyLoader is being used in email spam campaigns to deliver information stealers and remote access trojans, expanding the reach of credential theft and remote compromise. The loader has been active since November 2024 and has delivered payloads including Agent Tesla, AsyncRAT, Formbook, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. The attack chain matters because it uses DLL side-loading and process hollowing to hide the final malware and inject it into target processes.
Related Happenings
GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping
Technical Analysis
First: 19.12.2025 17:34
Last: 19.12.2025 17:34
Sources 1
About this happening:
A new **GachiLoader** variant uses **kidkadi.node** to perform **PE injection** through **Vectored Exception Handling**, creating an in-memory swapping technique that raises detec...
GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping
Technical AnalysisAbout this happening: A new **GachiLoader** variant uses **kidkadi.node** to perform **PE injection** through **Vectored Exception Handling**, creating an in-memory swapping technique that raises detec...
BADAUDIO first-stage downloader activity
Malware Activity
First: 21.11.2025 12:42
Last: 21.11.2025 12:42
Sources 1
About this happening:
The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
BADAUDIO first-stage downloader activity
Malware ActivityAbout this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
GootLoader malware activity with WOFF2 font filename obfuscation
Malware Activity
First: 11.11.2025 17:44
Last: 11.11.2025 17:44
Sources 1
About this happening:
The **GootLoader** loader has resurfaced with a new **WOFF2 font-based** filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed **three...
GootLoader malware activity with WOFF2 font filename obfuscation
Malware ActivityAbout this happening: The **GootLoader** loader has resurfaced with a new **WOFF2 font-based** filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed **three...
CountLoader malware loader used by Russian ransomware gangs for payload delivery
Malware Activity
First: 18.09.2025 15:56
Last: 18.09.2025 15:56
Sources 1
About this happening:
**CountLoader** is being used in **active ransomware operations** to deliver **AdaptixC2** worldwide, with analysts linking the loader to the malware’s deployment and a **DFIR** c...
CountLoader malware loader used by Russian ransomware gangs for payload delivery
Malware ActivityAbout this happening: **CountLoader** is being used in **active ransomware operations** to deliver **AdaptixC2** worldwide, with analysts linking the loader to the malware’s deployment and a **DFIR** c...
Latest development: 19.12.2025 17:34
A new CountLoader campaign abuses cracked software distribution sites and MediaFire ZIP archives to deliver CountLoader 3.2, using Setup.exe, mshta.exe, scheduled-task persistence, removable USB spread, and in-memory execution to install ACR Stealer on infected Windows hosts.
TAG-150 CastleLoader and CastleRAT malware operations
Malware Activity
First: 05.09.2025 17:07
Last: 05.09.2025 17:07
Sources 1
About this happening:
The **TAG-150** malware activity now centers on **CastleLoader** and new **CastleRAT** variants (**NightShadeC2**) that researchers mapped across a broader **MaaS** infrastructure...
TAG-150 CastleLoader and CastleRAT malware operations
Malware ActivityAbout this happening: The **TAG-150** malware activity now centers on **CastleLoader** and new **CastleRAT** variants (**NightShadeC2**) that researchers mapped across a broader **MaaS** infrastructure...
Timeline
-
21.08.2025 13:41 1 articles · 9mo ago
QuirkyLoader email-spam loader disclosure
Initial DisclosureIBM X-Force disclosed QuirkyLoader as a new malware loader used in email spam campaigns to deliver next-stage payloads including Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. The loader chain uses malicious archives containing a DLL, an encrypted payload, and a real executable, then relies on DLL side-loading and process hollowing to inject malware into AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. IBM also said the activity has been seen since November 2024, with limited campaigns observed in July 2025 targeting Taiwan and Mexico, including a Taiwan-focused campaign that singled out Nusoft Taiwan employees and a Mexico-related campaign that delivered Remcos RAT and AsyncRAT.
Show sources
- Hackers Using New QuirkyLoader Malware to Spread Agent Tesla, AsyncRAT and Snake Keylogger — thehackernews.com — 21.08.2025 13:41