Since early 2022, a sophisticated .NET-based multi-stage malware loader has been actively targeting Windows systems, serving as a conduit for deploying various malicious payloads, including information stealers and remote access trojans. This loader employs a complex three-stage deployment mechanism designed to evade detection and effectively deliver malware to compromised machines.
Evolution and Obfuscation Techniques
The malware initiates its infection chain with a seemingly benign .NET executable that contains encrypted components of subsequent stages. Earlier variants embedded the second stage as hardcoded strings, but newer versions have adopted more advanced concealment methods, such as hiding malicious code within bitmap resources. This evolution underscores the operators’ commitment to maintaining the loader’s effectiveness against modern security solutions.
Detection and Analysis
Researchers at ThreatRay identified this loader through code reuse analysis, connecting approximately 20,000 samples collected over a three-year period. Their tracking revealed that despite frequent changes to the first two stages, the third stage maintains a relatively stable code structure, providing a consistent signature for detection. The primary value of monitoring this loader lies in obtaining fresh samples and indicators of compromise rather than early detection of new malware families.
Impact and Payload Distribution
The loader has significantly impacted the cybersecurity landscape, predominantly distributing commodity threats such as AgentTesla, Formbook, Remcos, and 404Keylogger. Statistical analysis covering March 2022 through February 2025 shows consistent deployment patterns for these payloads, highlighting the loader’s reliability as a malware delivery mechanism for cybercriminals.
Technical Sophistication and Execution Process
The loader’s technical sophistication is most evident in its staged execution process:
1. Initial Stage: The initial .NET executable extracts and decrypts embedded data before executing the second stage in memory.
2. Second Stage: This .NET DLL processes crucial parameters to locate and XOR-decrypt a bitmap resource from the first stage.
3. Third Stage: The final stage manages the deployment of the ultimate payload in memory, completing the infection chain while minimizing detection risk.
This carefully orchestrated process demonstrates the sophisticated techniques modern malware employs to compromise systems while evading detection.
