Cybersecurity researchers have disclosed particulars of a brand new malware loader known as QuirkyLoader that is getting used to ship by way of electronic mail spam campaigns an array of next-stage payloads starting from info stealers to distant entry trojans since November 2024.
Among the notable malware households distributed utilizing QuirkyLoader embrace Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger.
IBM X-Pressure, which detailed the malware, mentioned the assaults contain sending spam emails from each respectable electronic mail service suppliers and a self-hosted electronic mail server. These emails characteristic a malicious archive, which comprises a DLL, an encrypted payload, and an actual executable.
“The actor makes use of DLL side-loading, a way the place launching the respectable executable additionally masses the malicious DLL,” safety researcher Raymond Joseph Alfonso mentioned. “This DLL, in flip, masses, decrypts, and injects the ultimate payload into its goal course of.”
That is achieved by utilizing course of hollowing to inject the malware into one of many three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.
The DLL loader, per IBM, has been utilized in restricted campaigns for the previous few months, with two campaigns noticed in July 2025 concentrating on Taiwan and Mexico.
The marketing campaign concentrating on Taiwan is claimed to have particularly singled out staff of Nusoft Taiwan, a community and web safety analysis firm primarily based in New Taipei Metropolis, with the aim of infecting them with Snake Keylogger, which is able to stealing delicate info from well-liked net browsers, keystrokes, and clipboard content material.
The Mexico-related marketing campaign, however, is assessed to be random, with the an infection chains delivering Remcos RAT and AsyncRAT.
“The risk actor persistently writes the DLL loader module in .NET languages and makes use of ahead-of-time (AOT) compilation,” Alfonso mentioned. “This course of compiles the code into native machine code earlier than execution, making the ensuing binary seem as if it had been written in C or C++.”
New Phishing Traits
The event comes as risk actors are utilizing new QR code phishing (aka quishing) techniques like splitting malicious QR codes into two elements or embedding them inside respectable ones in electronic mail messages propagated by way of phishing kits like Gabagool and Tycoon, respectively, to evade detection, demonstrating ongoing evolution.
“Malicious QR codes are well-liked with attackers for a number of causes,” Barracuda researcher Rohit Suresh Kanase mentioned. “They can’t be learn by people so do not increase any pink flags, they usually can usually bypass conventional safety measures resembling electronic mail filters and hyperlink scanners.”
“Moreover, since recipients usually have to change to a cellular system to scan the code, it may take customers out of the corporate safety perimeter and away from safety.”
The findings additionally observe the emergence of a phishing equipment utilized by the PoisonSeed risk actor to amass credentials and two-factor authentication (2FA) codes from people and organizations to achieve entry to victims’ accounts and use them to ship emails for finishing up cryptocurrency scams.
“The domains internet hosting this phishing equipment impersonate login companies from distinguished CRM and bulk electronic mail firms like Google, SendGrid, Mailchimp, and sure others, concentrating on people’ credentials,” NVISO Labs mentioned. “PoisonSeed employs spear-phishing emails embedding malicious hyperlinks, which redirect victims to their phishing equipment.”
A noteworthy facet of the equipment is the usage of a way referred to as precision-validated phishing through which the attacker validates an electronic mail deal with in real-time within the background, whereas a faux Cloudflare Turnstile problem is served to the person. As soon as the checks are handed, a login type impersonating the respectable on-line platform seems, permitting the risk actors to seize submitted credentials after which relay them to the service.
