Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

How to analyze Loader with ANY.RUN

Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 263
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1376
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1819
comments 0

What is a loader malware?

Loaders, also known as downloaders, are a type of malware that is built for the purpose of penetrating the security infrastructure of devices and subsequent delivery of malicious payloads. This kind of malware is used during the initial stage of multi-stage malware attacks to download and execute the core malware on a compromised system.

Loaders are usually developed and run by organized crime groups that specialize solely in infiltrating computers and then charging clients, various threat actors, for deploying their specific malware on these endpoints. The particular type of malware deployed on infected systems by loaders ranges from spyware to ransomware and even other loaders.

Since loaders are a type of remote access trojans (RATs), they allow their operators to maintain full or partial remote control over compromised endpoints. This is usually done through a control panel. For instance, in the case of PrivateLoader, criminals can track their activity, including the overall number of successful installations, as well as add and remove extra payloads that they wish to deliver to infected devices.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What can a loader do to a computer?

Although loaders are designed with the sole purpose in mind of spreading other malware across compromised systems, developers often equip them with a range of other advanced capabilities, directly or indirectly related to their primary functionality. As a result, most loaders can:

  • Gather system information: Loaders can collect different details about devices, such as the operating system version, installed software, hardware configuration, and network settings. This allows them to select the payload, which will be most suitable for the specific system.
  • Target users based on geo: They can filter targets based on their geographical location, focusing on various regions or certain countries.
  • Maintain connection with C2 server: Operators can manage loaders with a command-and-control (C2) server.
  • Disable security solutions: Loaders have multiple mechanics for circumventing mainstream security solutions, allowing them to pass unnoticed.
  • Move laterally: They can spread laterally across the entire network of computers, once they gain a foothold on one of them, compromising more endpoints.

Many loaders are modular, meaning that they can be easily configured to carry out extra functions by simply integrating the corresponding module. For instance, Smoke Loader has an additional capability of stealing data on victims’ devices. It not only collects system information, but also passwords and other credentials from browsers and apps and then exfiltrates them to the attacker.

How do loaders spread?

Threat actors employ a variety of methods to spread loader malware. One of the most common methods is through phishing campaigns. These campaigns involve sending emails to unsuspecting users that appear to be from legitimate organizations or individuals. Such emails often contain a link to a malicious website or an attachment in the form of a document or archive. When users download and run these attached files, they trigger an infection chain that leads to the deployment of a loader on their system and the subsequent delivery of additional payloads.

Prevent loader infection by proactively analyzing suspicious files in the ANY.RUN sandbox – request a demo.

Another common way for loaders to find their way onto users' computers is through fake software. For example, GCleaner, a loader that disguises itself as a legitimate PC program, actually just downloads and installs other malware. It operates based on a pay-per-install model, where criminals pay GCleaner operators each time their payload is dropped on an infected system.

How does a loader operate on an infected system?

Once loaders are launched, they first establish persistence on the infected machine through various mechanisms. For instance, they can create new processes or exploit legitimate Windows processes’ privileges. This allows loaders to avoid detection by security software. To ensure that the loader remains active after rebooting it often adds its process to the startup using Task Scheduler.

Next, the loader malware collects information about the system and attempts to establish connection with its C2 server to transmit the data to attackers. The server then responds with an encrypted payload that the loader executes and infects the system with a new malware family. It is worth noting that loaders often make use of the Dead Drop Resolver technique, where they host malicious code on the servers of popular services and apps, such as Discord.

Loaders also utilize encryption in order to prevent professionals from analyzing its code and C2 communication. They also employ anti-debugging to further make it difficult to understand how it works.

To see in detail how a typical loader operates, we can upload a sample of PrivateLoader to the ANY.RUN sandbox.

Upon infiltrating the target device, the primary PrivateLoader process spawns a child process whose executable file resides in the user's "Pictures" directory. This newly created child process is subsequently incorporated into the system's startup routine using Task Scheduler.

Examination of the HTTP requests reveals connections and data transfers with the C2 server. Both the sent and received content in POST requests is BASE64-encoded. Further analysis of the indicators reveals that the malware steals user credentials from web browsers.

PrivateLoader process tree A process tree of a PrivateLoader sample demonstrated by ANY.RUN

The most common loaders today

Having a clear threat visibility and knowing which loaders are active at the moment is critical for organizations’ proactive cybersecurity. To track both emerging and persistent malware, use ANY.RUN’s Malware Trends Tracker.

Here are top three Loaders right now, according to the service:

  • PrivateLoader: This malicious software is primarily distributed through websites offering cracked versions of popular software. Once installed, PrivateLoader can lead to the deployment of trojans, stealers, or other types of malware. Check out an in-depth technical analysis of PrivateLoader in our blog.
  • GuLoader: Also known as CloudEyE or vbdropper, it is a first-stage loader that usually drops trojans or remote access trojans (RATs). It implements anti-detection and obfuscation techniques, enabling it to evade network detection and slip past security systems.
  • Smoke Loader: Active since 2011, this loader has a modular design that allows threat actors not only to install various types of malware on compromised systems, but also steal sensitive data from victims.

How can I detect a loader?

Protecting your organization from loaders and other malicious software requires a solid stack of security solutions. One of the key elements of proper security posture is malware analysis sandboxes.

ANY.RUN is a cloud-based sandbox that lets users analyze files and URLs and quickly discover whether they are malicious or not. On top of advanced analysis capabilities, the platform provides comprehensive reports on threats submitted by users, containing relevant IOCs and malware configs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More