#stealer/#Loader
LightNews LightNews
foxyxxbro.bsky.social
Если продукт отдают бесплатно, значит: платят пользователи (доступ, боты, CPU, данные),
или платит чей-то ботнет.
Модель «подарка с крючком» 90% «кряков» и «лоадеров» -это:
loader + stealer,
loader + dropper,
loader + C2 beacon.
January 2, 2026 at 5:49 AM
malwhere.bsky.social
BeaverTail is a JavaScript-based info stealer and loader. Recent samples show heavy obfuscation using layered Base64 and XOR encoding, harvesting host and user data before reaching out to C2 servers to fetch follow-on payloads like the InvisibleFerret backdoor.
December 23, 2025 at 10:30 AM
hasamba72.bsky.social
Howler Cell found cracked-software distribution of CountLoader v3.2 (SHA256 eac4f6a1...). Loader runs via MSHTA, adds USB propagation and in‑memory ACR Stealer delivery using a trojanized WinX_DVD_Pro.exe. #CountLoader #ACRStealer https://bit.ly/4pNkFqV
December 19, 2025 at 8:31 PM
decoderloop.com
...RustyAttr, Akira Ransomware (both Akira_v2 and Megazord), Banshee (Rust variant), RALord Ransomware, RustoBot, Tetra Loader, EDDIESTEALER, Myth Stealer, Rustonotto, RustyPages, ChaosBot

This is ~1 new Rust malware family per month. Rust as a programming language for malware is here to stay!
December 15, 2025 at 3:42 PM
kubernetes.activitypub.awakari.com.ap.brid.gy
Xillen Stealer v5 Advanced Credential Theft and Loader Platform Threat Group – Xillen Killers Threat Type – Information stealer and loader operating under a Malware as a Service model Exploited...

#Malware #C2 #Credential #Theft #Downloader

Origin | Interest | Match
November 24, 2025 at 1:53 AM
malware-traffic-analysis.net
2025-10-16 (Thursday): Unidentified #stealer/#Loader found when searching for URLs that follow patterns previously seen for Koi Loader/Koi Stealer.

Details at github.com/malware-traf...
Page to download the initial file. HTTPS URLs seen from the infection. Traffic from the infection filtered in Wireshark. Example of post-infection data exfiltration traffic.
October 16, 2025 at 5:18 PM
pigondrugs.bsky.social
~Paloalto~
PhantomVAI Loader uses phishing and steganography to deliver multiple infostealers like Katz Stealer, AsyncRAT, and XWorm.
-
IOCs: (None identified)
-
#Infostealer #Malware #PhantomVAI #ThreatIntel
PhantomVAI Loader Delivers Infostealers
unit42.paloaltonetworks.com
October 15, 2025 at 4:03 PM
virusbtn.bsky.social
Proofpoint Threat Research details TA585, a sophisticated actor that manages its own infrastructure, delivery, and malware installation, and delivers MonsterV2, which has capabilities of a RAT, stealer, and loader. www.proofpoint.com/us/blog/thre...
October 14, 2025 at 8:18 AM
matricedigitale.bsky.social
TA585 usa MonsterV2 per attacchi mirati contro aziende finanziarie, controllando l’intera catena d’infezione con RAT, stealer e loader avanzati.

#ClickFix #LummaStealer #MonsterV2 #Proofpoint #Rhadamanthys #TA585
www.matricedigitale.it/2025/10/14/t...
October 14, 2025 at 7:37 AM
threatinsight.proofpoint.com
MonsterV2 fast facts:

⚡️Has capabilities of a remote access trojan (RAT), loader, and stealer

⚡️ Avoids infecting computers in Commonwealth of Independent States (CIS) countries

⚡️ Expensive compared to its peer malware families

⚡️ Used by TA585 and a small number of actors
October 13, 2025 at 8:35 PM
malware-traffic-analysis.net
2025-10-10 (Friday): Was looking for Koi Loader/Koi Stealer, and I found this #WebDAV server that hosted malicious Windows shortcut (#LNK) files.

Not sure what type of #malware this is, but it's not Koi Stealer.

Details at github.com/malware-traf...
Malicious Windows shortcut (LNK) files on the WebDAV server. Both are the same file with different names. Traffic from the initial infection filtered in Wireshark. Malware that was persistent on the infected Windows host. Post-infection traffic generated by the peristent malware.
October 11, 2025 at 1:16 AM
virusbtn.bsky.social
CyberProof reports a spike in DarkCloud Stealer attacks against financial firms in August 2025 via phishing. Samples steal credentials from email and FTP clients and browsers, inject into MSBuild.exe, and use a JPG-embedded loader. www.cyberproof.com/blog/darkclo...
September 15, 2025 at 11:09 AM
pigondrugs.bsky.social
~Zscaler~
North Korean-aligned APT37 is using a new Rust-based backdoor (Rustonotto) and a Python loader to deploy the FadeStealer info-stealer.
-
IOCs: Rustonotto, FadeStealer
-
#APT37 #Malware #Rust #ThreatIntel
APT37 Deploys Rust Backdoor & Python Loader
www.zscaler.com
September 8, 2025 at 4:02 PM
cryptovkanews.bsky.social
⚡️ Осторожно, Steam! В игре Chemia найдено вредоносное ПО (Hijack Loader, Fickle Stealer, Vidar Stealer), крадущее криптокошельки и личные данные. 🚨 Игры в раннем доступе – повышенный риск. 🛡️ Используйте антивирус, будьте бдительны при загрузках и храните криптоактивы на аппаратных кошельках!
July 28, 2025 at 5:29 PM
marktsec.bsky.social
🚨 New update spotted in MonsterV2 malware:
✅ Stealer can now be launched on all or selected bots
⚙️ Loader speed improved
🐞 Bug fix for browser cookie theft on high-handle systems
📌 Rebuild required – expect fresh variants in the wild
#ThreatIntel #Malware #HVNC #Infostealer
July 12, 2025 at 7:15 PM
matricedigitale.bsky.social
SHELLTER: framework commerciale di evasione usato in-the-wild per info-stealer e loader avanzati, con cifratura, polimorfismo e tecniche anti-EDR su Windows.

#ARECHCLIENT2 #INFOSTEALER #Lumma #Rhadamanthys #SHELLTER
www.matricedigitale.it/2025/07/08/s...
July 8, 2025 at 6:40 AM
marktsec.bsky.social
🚨 New Stealer Alert: AURA Stealer
Highly modular & stealthy malware targeting over 110 browsers, 70+ apps (incl. wallets & 2FA), and 250+ extensions.
Server-side decryption
Custom shellcode & morpher
Loader included
Cookie theft w/o killing processes
#CyberSecurity #ThreatIntel #Malware #InfoStealer
July 8, 2025 at 5:03 AM
virusbtn.bsky.social
Splunk researchers analyse a malicious Inno Setup installer that leverages Inno Setup's Pascal scripting capabilities to retrieve and execute HijackLoader, a known loader used to evade detection and deliver the final payload - in this case, RedLine Stealer. www.splunk.com/en_us/blog/s...
Graphic illustrating the malicious Inno-Setup Loader campaign
July 7, 2025 at 11:31 AM
malware-traffic-analysis.net
2025-06-26 (Thursday): #LummaStealer ( #Lumma ) infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as #malware. A #pcap of the infection traffic, the associated malware, and IOCs are available at: www.malware-traffic-analysis.net/2025/06/26/i...
Step 1: Downloading the malware that's distributed as a cracked version of Turnitin. Hint: It doesn't install Turnitin, it just installs Lumma Stealer. Extracting the malware (a Windows .exe file) from the downloaded, password-protected 7-zip archive. Traffic from the infection filtered in Wireshark. Files dropped from this infection.
June 27, 2025 at 5:22 AM
virusbtn.bsky.social
Zscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware like Vidar, Lumma & Legion Loader. Threat actors are using Black Hat SEO to poison search engine rankings for AI keywords to spread malware. www.zscaler.com/blogs/securi...
Diagram showing attack chain illustrating the distribution process of Lumma and Vidar Stealer.
June 25, 2025 at 9:29 AM
jaiminton.com
New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.

0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
June 24, 2025 at 3:11 AM
threatinsight.proofpoint.com
MonsterV2 has many capabilities, but seems to function primarily as a stealer and a loader.
June 5, 2025 at 9:07 PM
virusbtn.bsky.social
Cybereason researchers describe an ongoing phishing campaign they have observed that uses a copyright infringement lure to target multimedia professionals from central and eastern Europe to deliver Rhadamanthys stealer. www.cybereason.com/blog/rhadama...
Attack flow diagram related to execution of the Rhadamanthys loader.
May 23, 2025 at 9:26 AM
malware-traffic-analysis.net
2025-05-09 (Friday): #KoiLoader / #KoiStealer activity. Same type of distribution chain and infection characteristics as always.

Example of downloaded zip available at:

- bazaar.abuse.ch/sample/35236...
- tria.ge/250510-a2fw5...
- app.any.run/tasks/3adefb...
List of several URLs seen recently that return a zip archive containing a Windows shortcut for Koi Loader / Koi Stealer. Screenshot of a web browser when downloading one of the zip archives for Koi Loader / Koi Stealer from one of the Google Sites URLs. Examining the Windows shortcut extracted from the downloaded zip archive. The shortcut runs PowerShell script to infect a host with Koi Loader / Koi Stealer. Traffic from a Koi Loader / Koi Stealer infection filtered in Wireshark.
May 10, 2025 at 1:10 AM
hackingne.ws
Slow Pisces, a North Korean hacking group, used LinkedIn to target crypto developers with malicious coding challenges. PDFs linked to malware-laden GitHub repos (RN Loader & RN Stealer), stealing data and credentials. GitHub & LinkedIn removed the threats.#SlowPiscesLinkedInAttack
April 16, 2025 at 6:08 AM