Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

SSLoad

129
Global rank
120 infographic chevron month
Month rank
130 infographic chevron week
Week rank
0
IOCs

SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.

Loader
Type
Unknown
Origin
1 January, 2024
First seen
19 February, 2025
Last seen

How to analyze SSLoad with ANY.RUN

Type
Unknown
Origin
1 January, 2024
First seen
19 February, 2025
Last seen

IOCs

IP addresses
85.239.53.219
23.95.209.148
Domains
23-95-209-148-host.colocrossing.com
bjsdg0.pintaexoticfashion.co.in
l1-03.winupdate.us.to
t0talwar.screenconnect.com
tjx-usa.com
Last Seen at

Recent blog posts

post image
TI Lookup Named Best Threat Intelligence Serv...
watchers 187
comments 0
post image
Decoding a Malware Analyst: Essential Skills...
watchers 252
comments 0
post image
Expose Android Malware in Seconds: ANY.RUN Sa...
watchers 2785
comments 0

What is SSLoad malware?

SSLoad is a malware loader known for its complex attack techniques. Its delivery methods and infiltration techniques vary with each deployment, making it challenging for malware hunters to detect.

This loader has been active since January 2024. Recent reports indicate that SSLoad has been used to deploy Cobalt Strike, a popular adversary simulation software often utilized for post-exploitation activities. In one of campaigns, the attackers employed the DLL side-loading technique, involving a decoy Word document that delivers the SSLoad DLL.

Another reported attack utilized an MSI installer distributed via a phishing email that redirected victims to a fake Azure page. From there, a JavaScript script was downloaded, which in turn downloaded the MSI installer, eventually loading the SSLoad payload.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

SSLoad malware technical details

SSLoad’s primary function is to download and execute additional malicious payloads on the compromised system.

Some of the key capabilities of SSLoad malware include:

  • Collecting detailed information about the infected system, such as hardware specifications, software versions, and network details.
  • Transmitting detailed system information to attackers.
  • Maintaining long-term access through registry modifications, scheduled tasks, or DLL side-loading.
  • Using obfuscation, in-memory execution, and checking for virtual environments to evade detection.
  • Communicating with its C2 server via encrypted HTTP/HTTPS protocols to receive commands and download further payloads.

Early versions of SSLoad malware initially connected to a Telegram channel named "SSLoad" using the first-stage DLL to retrieve an additional URL.

Upon establishing this connection, the malware would download a compressed PE file, utilizing specific User-Agent and Content-Type headers over HTTP. The downloaded file was then decompressed and executed directly in memory, bypassing traditional disk-based detection methods.

Since its inception, SSLoad has undergone several updates, evolving its command-and-control (C2) communication strategies and altering the supporting executables used to load the malware.

Recent versions of SSLoad avoid the first-stage DLL and load the malware directly into the victim’s machine, making detection even more challenging.

Infectious files used by the attackers come in different formats, including compressed archives (e.g., ZIP, RAR), executables (.exe, .bat), documents (e.g., PDF, Microsoft Office files), and scripts such as JavaScript.

Once a user opens, runs, or interacts with one of these malicious files, the infection chain is triggered, leading to the deployment of SSLoad and other associated malware.

Ssload execution process

The execution chain of SSLoad malware involves a series of steps designed to infiltrate systems, gather intelligence, and deploy additional payloads. SSLoad is often delivered through phishing emails containing malicious attachments.

One of the common methods includes a decoy Word document. Let’s run a sample in the ANY.RUN sandbox to observe this method.

SSload report in ANY.RUN Malicious Word document analyzed in ANY.RUN sandbox

When opened, you can notice how the Word document executes a DLL file associated with SSLoad.

Another approach involves a phishing email that directs users to a fake Azure page, leading to the download of a JavaScript file, which then downloads an MSI installer containing the SSLoad payload.

Let’s run another sample of the SSLoad malware in the ANY.RUN sandbox to observe this execution method: MSI installer containing SSLoad malware:

SSload report in ANY.RUN SSLoad process graph with MSI installer in ANY.RUN

The MSI installer plays a crucial role in the execution chain. Upon execution, it initiates a series of actions that deploy the SSLoad payload. This installer is designed to execute specific custom actions that facilitate the malware's installation and operation on the victim's machine. Once the MSI installer is run, it extracts and executes the SSLoad payload, typically a Rust-based executable.

The payload first checks for existing instances of itself on the machine by creating a mutex. If the mutex is found, the malware ceases execution to avoid running multiple instances. After confirming it is the only instance running, SSLoad conducts reconnaissance to gather information about the infected system, transmitting this data back to its operators. SSLoad can deliver further payloads, such as Cobalt Strike, which is used for lateral movement and further exploitation within the network.

SSLoad employs various techniques to evade detection and analysis. For instance, it checks the Process Environment Block (PEB) for the BeingDebugged flag, which indicates if the process is being monitored. If it detects debugging, it can alter its behavior to avoid analysis.

The SSLoad malware may also use the Task Scheduler for time-based evasion, such as delaying execution until a specific time or event. You can run the sample and analyze its behavior here: DLL file execution:

SSload report in ANY.RUN SSLoad process graph with DLL file in ANY.RUN

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

SSLoad malware distribution methods

Similar to other loaders, like PrivateLoader and GuLoader, cybercriminals may use a variety of methods to spread SSLoad. Phishing and social engineering are the primary tactics, where malware is often disguised as or bundled with seemingly legitimate content to trick users into downloading and executing it.

Key methods include:

  • Phishing emails: Malicious links or attachments in emails that appear to be from trusted sources.
  • Malicious attachments: Files like Word documents, PDFs, or Excel sheets that execute SSLoad when opened.
  • Compromised websites: Sites that trick users into downloading SSLoad.
  • Malicious scripts: JavaScript or other scripts that download and execute SSLoad when triggered.
  • File bundling: SSLoad is bundled with seemingly harmless software or cracked applications, installing when these are run.

Conclusion

SSLoad is a stealthy and malicious loader that poses a significant detection challenge due to its varied distribution methods and sophisticated infiltration techniques.

ANY.RUN is a powerful cloud-based service that enables safe analysis of malicious files, including those infected with SSLoad. It provides a secure environment to observe malware behavior and collect indicators of compromise (IOCs). By using ANY.RUN, you can gain valuable insights into SSLoad’s deployment tactics and strengthen your defenses against it.

Sign up for your free ANY.RUN account today!

HAVE A LOOK AT

Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More