Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

PrivateLoader

68
Global rank
73 infographic chevron month
Month rank
65 infographic chevron week
Week rank
0
IOCs

PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware.

Loader
Type
ex-USSR
Origin
1 May, 2021
First seen
8 February, 2025
Last seen

How to analyze PrivateLoader with ANY.RUN

Type
ex-USSR
Origin
1 May, 2021
First seen
8 February, 2025
Last seen

IOCs

IP addresses
190.219.153.101
79.137.205.112
104.47.53.36
193.106.175.148
104.26.8.139
31.210.20.251
181.63.252.68
179.26.198.190
77.28.83.241
104.21.44.192
20.255.200.185
185.82.216.64
187.147.209.115
190.103.205.174
187.251.132.139
79.137.202.224
95.111.233.125
193.56.146.5
140.82.121.4
195.96.151.46
Domains
interactiedovspm.shop
vozmeatillu.shop
fragnantbui.shop
reinforcenh.shop
ghostreedmnu.shop
charecteristicdxp.shop
weiggheticulop.shop
stogeneratmns.shop
cagedwifedsozm.shop
deicedosmzj.shop
consciousourwi.shop
gutterydhowi.shop
drawzhotdog.shop
southedhiscuso.shop
potentioallykeos.shop
offensivedzvju.shop
livestream-ufc.com
maxximbrasil.com
230320051222585.btl.jbc75.shop
230224175748394.uba.xlf07.shop
URLs
http://sarfoods.com/index.php
http://91.241.19.125/pub.php
http://85.192.56.26/api/bing_release.php
http://5.42.66.10/api/bing_release.php
http://wfsdragon.ru/api/setStats.php
http://5.42.99.177/api/crazyfish.php
http://5.42.66.10/api/crazyfish.php
http://37.0.11.9/base/api/getData.php
http://136.144.41.152/base/api/getData.php
http://41.216.188.190/api/wp-admin.php
http://41.216.188.190/api/wp-ping.php
http://89.169.53.206/api/crazyfish.php
http://45.91.200.135/api/twofish.php
http://45.91.200.135/api/crazyfish.php
http://109.120.176.203/api/twofish.php
http://109.120.176.203/api/crazyfish.php
http://77.105.133.27/api/twofish.php
http://77.105.133.27/download/123p.exe
http://77.105.133.27/download/th/space.php
http://77.105.133.27/api/crazyfish.php
Last Seen at
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 213
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 588
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1483
comments 0

What is PrivateLoader malware?

PrivateLoader is a loader, which serves to embed other malware families on compromised systems. The creators of this malicious software, who are likely to be from ex-USSR countries, monetize their activity by charging various threat actors for the installation of their particular type of payload. The services are advertised openly on forums and Telegram channels, making them widely accessible.

The earliest instances of the malware’s activity can be traced to the beginning of 2021. However, researchers were able to spot it for the first time only in 2022, when it gained notoriety as the most widely used loader of the year.

A common vector of infection in the case of PrivateLoader has been through websites offering cracked versions of popular software. Once victims downloaded a file from such sites and ran an alleged software executable, they launched a chain reaction, which led to the installation of PrivateLoader and eventually to a trojan, stealer, or another type of malware being deployed on their system.

Some of the known malware families that have been pushed by PrivateLoader include Redline, DCRAT, Raccoon, and Smokeloader.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the PrivateLoader malicious software

PrivateLoader is written in C++ and has a control panel, allowing operators to manage its activity, including by adding new payload links and tracking the total number of installations.

PrivateLoader is set up to drop payloads depending on the configuration of each victim’s system. For instance, it can distribute malware based on the geo location. It can also scan the machine to determine if there are any crypto wallets installed and see banking credentials. Yet, in most cases, it does not exfiltrate this information.

PrivateLoader is a modular threat, consisting of three distinct parts, each with its own purpose. It starts with the Loader module, which is intended for downloading the main Core module. The latter then contacts the command-and-control server (C2) and drops the next-stage threat, as well as the Service module that is regularly updated and responsible for keeping the loader on the victim’s system. In certain instances, PrivateLoader can drop several payloads.

The malware also makes use of the Dead Drop Resolver technique, where it utilizes legitimate services, such as Discord, to host malicious payloads.

PrivateLoader employs various techniques to prevent analysis, including encrypting its important strings and obfuscating the C2 communication.

Execution process of PrivateLoader

Let’s see how PrivateLoader operates in detail by uploading its sample to ANY.RUN, an interactive sandbox for malware analysis.

The main PrivateLoader process creates a child process whose executable file is located in the user’s “Pictures” directory. The created child process is added to the startup using Task Scheduler. The executable file of the child process was downloaded from the Internet.

Analyzing the HTTP requests, we can observe connections and data exchanges with the C2 server. The content sent (as well as received) in POST requests consists of BASE64-encoded strings. Moving forward to the indicators, we can see that the malware steals user credentials from browsers.

Read a detailed analysis of PrivateLoader in our blog.

PrivateLoader process tree shown in ANY.RUN PrivateLoader’s process tree demonstrated in ANY.RUN

Distribution methods of the PrivateLoader malware

As mentioned above, the primary way PrivateLoader can infect a computer is via a direct download. Attackers employ SEO poisoning to boost the ranking of their websites. Users visit these links in search of different types of legitimate programs. Yet, after downloading an archive from the website and opening its contents, an infection begins, allowing PrivateLoader to compromise the entire system.

Conclusion

PrivateLoader is a serious threat to organizations and individuals because of the scale of its operation, as it can infect hundreds of thousands of computers in a short period of time. In order to avoid falling victim to this and other malware, it is vital to steer clear of suspicious websites and never download software from unofficial sources.

To determine whether a certain file or link is malicious, use ANY.RUN. It is a malware sandbox that provides users with the ability to interact with the samples at hand in a safe cloud environment. For instance, PrivateLoader usually comes packed into a passworded archive. ANY.RUN lets you easily open it, extract the contents, and run them as if you were using your own computer to expose any harmful behavior and collect IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More