BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

How to analyze Loader with ANY.RUN

Top malware of this type

Trend changes
Tasks overall
  • 2

    Smoke Loader

  • 3


  • 4


  • 5


  • 6


  • 7


  • 8


  • 9


  • 10


  • 11


  • Last Seen at

    Recent blog posts

    post image
    Malware Trends Report: Q2, 2024 
    watchers 1338
    comments 0
    post image
    A Guide to Common Encryption Algorithms in Mo...
    watchers 359
    comments 0
    post image
    Search for Network Threats by Suricata in TI...
    watchers 682
    comments 0

    What is a loader malware?

    Loaders, also known as downloaders, are a type of malware that is built for the purpose of penetrating the security infrastructure of devices and subsequent delivery of malicious payloads. This kind of malware is used during the initial stage of multi-stage malware attacks to download and execute the core malware on a compromised system.

    Loaders are usually developed and run by organized crime groups that specialize solely in infiltrating computers and then charging clients, various threat actors, for deploying their specific malware on these endpoints. The particular type of malware deployed on infected systems by loaders ranges from spyware to ransomware and even other loaders.

    Since loaders are a type of remote access trojans (RATs), they allow their operators to maintain full or partial remote control over compromised endpoints. This is usually done through a control panel. For instance, in the case of PrivateLoader, criminals can track their activity, including the overall number of successful installations, as well as add and remove extra payloads that they wish to deliver to infected devices.

    Get started today for free

    Easily analyze emerging malware with ANY.RUN interactive online sandbox

    Register for free

    What can a loader do to a computer?

    Although loaders are designed with the sole purpose in mind of spreading other malware across compromised systems, developers often equip them with a range of other advanced capabilities, directly or indirectly related to their primary functionality. As a result, most loaders can:

    • Gather system information: Loaders can collect different details about devices, such as the operating system version, installed software, hardware configuration, and network settings. This allows them to select the payload, which will be most suitable for the specific system.
    • Target users based on geo: They can filter targets based on their geographical location, focusing on various regions or certain countries.
    • Maintain connection with C2 server: Operators can manage loaders with a command-and-control (C2) server.
    • Disable security solutions: Loaders have multiple mechanics for circumventing mainstream security solutions, allowing them to pass unnoticed.
    • Move laterally: They can spread laterally across the entire network of computers, once they gain a foothold on one of them, compromising more endpoints.

    Many loaders are modular, meaning that they can be easily configured to carry out extra functions by simply integrating the corresponding module. For instance, Smoke Loader has an additional capability of stealing data on victims’ devices. It not only collects system information, but also passwords and other credentials from browsers and apps and then exfiltrates them to the attacker.

    How do loaders spread?

    Threat actors employ a variety of methods to spread loader malware. One of the most common methods is through phishing campaigns. These campaigns involve sending emails to unsuspecting users that appear to be from legitimate organizations or individuals. Such emails often contain a link to a malicious website or an attachment in the form of a document or archive. When users download and run these attached files, they trigger an infection chain that leads to the deployment of a loader on their system and the subsequent delivery of additional payloads.

    Prevent loader infection by proactively analyzing suspicious files in the ANY.RUN sandbox – request a demo.

    Another common way for loaders to find their way onto users' computers is through fake software. For example, GCleaner, a loader that disguises itself as a legitimate PC program, actually just downloads and installs other malware. It operates based on a pay-per-install model, where criminals pay GCleaner operators each time their payload is dropped on an infected system.

    How does a loader operate on an infected system?

    Once loaders are launched, they first establish persistence on the infected machine through various mechanisms. For instance, they can create new processes or exploit legitimate Windows processes’ privileges. This allows loaders to avoid detection by security software. To ensure that the loader remains active after rebooting it often adds its process to the startup using Task Scheduler.

    Next, the loader malware collects information about the system and attempts to establish connection with its C2 server to transmit the data to attackers. The server then responds with an encrypted payload that the loader executes and infects the system with a new malware family. It is worth noting that loaders often make use of the Dead Drop Resolver technique, where they host malicious code on the servers of popular services and apps, such as Discord.

    Loaders also utilize encryption in order to prevent professionals from analyzing its code and C2 communication. They also employ anti-debugging to further make it difficult to understand how it works.

    To see in detail how a typical loader operates, we can upload a sample of PrivateLoader to the ANY.RUN sandbox.

    Upon infiltrating the target device, the primary PrivateLoader process spawns a child process whose executable file resides in the user's "Pictures" directory. This newly created child process is subsequently incorporated into the system's startup routine using Task Scheduler.

    Examination of the HTTP requests reveals connections and data transfers with the C2 server. Both the sent and received content in POST requests is BASE64-encoded. Further analysis of the indicators reveals that the malware steals user credentials from web browsers.

    PrivateLoader process tree A process tree of a PrivateLoader sample demonstrated by ANY.RUN

    The most common loaders today

    Having a clear threat visibility and knowing which loaders are active at the moment is critical for organizations’ proactive cybersecurity. To track both emerging and persistent malware, use ANY.RUN’s Malware Trends Tracker.

    Here are top three Loaders right now, according to the service:

    • PrivateLoader: This malicious software is primarily distributed through websites offering cracked versions of popular software. Once installed, PrivateLoader can lead to the deployment of trojans, stealers, or other types of malware. Check out an in-depth technical analysis of PrivateLoader in our blog.
    • GuLoader: Also known as CloudEyE or vbdropper, it is a first-stage loader that usually drops trojans or remote access trojans (RATs). It implements anti-detection and obfuscation techniques, enabling it to evade network detection and slip past security systems.
    • Smoke Loader: Active since 2011, this loader has a modular design that allows threat actors not only to install various types of malware on compromised systems, but also steal sensitive data from victims.

    How can I detect a loader?

    Protecting your organization from loaders and other malicious software requires a solid stack of security solutions. One of the key elements of proper security posture is malware analysis sandboxes.

    ANY.RUN is a cloud-based sandbox that lets users analyze files and URLs and quickly discover whether they are malicious or not. On top of advanced analysis capabilities, the platform provides comprehensive reports on threats submitted by users, containing relevant IOCs and malware configs.

    Try ANY.RUN for free – request a demo!


    DarkGate screenshot
    DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
    Read More
    DBatLoader screenshot
    DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.
    Read More
    GCleaner screenshot
    GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools
    Read More
    Glupteba screenshot
    glupteba trojan loader
    Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.
    Read More
    Hancitor screenshot
    hancitor loader trojan
    Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus.
    Read More
    HijackLoader screenshot
    HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
    Read More

    Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy