CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

QuirkyLoader Malware Distributes Multiple Payloads in Spam Campaigns

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A new malware loader named QuirkyLoader has been used since November 2024 to distribute various payloads, including Agent Tesla, AsyncRAT, and Snake Keylogger, via email spam campaigns. The loader employs DLL side-loading and process hollowing techniques to inject malware into target processes. Two campaigns in July 2025 targeted Taiwan and Mexico, focusing on specific organizations and random infections, respectively. The loader is written in .NET languages with ahead-of-time (AOT) compilation, making it appear as native machine code. The campaigns highlight evolving phishing tactics, including QR code phishing (quishing) and precision-validated phishing.

Timeline

  1. 21.08.2025 13:41 πŸ“° 1 articles Β· ⏱ 26d ago

    QuirkyLoader Malware Loader Campaigns Target Taiwan and Mexico

    Since November 2024, QuirkyLoader has been used to distribute various malware payloads via email spam campaigns. Two campaigns in July 2025 targeted Taiwan and Mexico, with specific and random infection chains, respectively. The Taiwan campaign targeted Nusoft Taiwan employees with Snake Keylogger, while the Mexico campaign delivered Remcos RAT and AsyncRAT. The loader uses DLL side-loading and process hollowing to inject malware into target processes.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.

Open in new tab

Resurfaced ChillyHell macOS Backdoor Discovered

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Open in new tab

Phishing campaign using SVG files to deploy Base64-encoded pages

A new malware campaign has been identified using Scalable Vector Graphics (SVG) files to deploy phishing pages. The SVG files, distributed via email, impersonate the Colombian judicial system and execute a JavaScript payload to inject a Base64-encoded HTML phishing page. This page mimics an official government document download process while downloading a ZIP archive in the background. The campaign has been active since at least August 14, 2025, and includes 523 unique SVG files that have evaded antivirus detection. The campaign is part of a broader trend where attackers are targeting macOS users with information stealers like Atomic macOS Stealer (AMOS). This stealer can exfiltrate a wide range of sensitive data, including credentials, browser data, and cryptocurrency wallets. The attackers use cracked software and ClickFix-style tactics to lure users into infecting their systems, bypassing macOS's Gatekeeper protections.

Open in new tab

TamperedChef Malware Campaign Targets Users via Fake PDF Editors

A cybercrime campaign using malvertising to distribute a new information stealer called TamperedChef has been discovered. The malware is disguised as a fake PDF editor, AppSuite PDF Editor, and is designed to steal sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with malicious capabilities activated on August 21, 2025. The malware operates as a backdoor, supporting various features for data exfiltration and system manipulation. The campaign involves multiple fraudulent websites promoting the PDF editor, which, once installed, makes covert requests to an external server to drop the PDF editor program and set up persistence on the host. The malware gathers information about installed security products and attempts to terminate web browsers to access sensitive data. The campaign includes more than 50 domains and apps signed with fraudulent certificates from at least four companies. The threat actor has been active since at least August 2024, promoting other tools like OneStart and Epibrowser, which can turn hosts into residential proxies.

Open in new tab