Cybersecurity researchers have disclosed particulars of a brand new malware loader known as QuirkyLoader that is getting used to ship through e-mail spam campaigns an array of next-stage payloads starting from info stealers to distant entry trojans since November 2024.
Among the notable malware households distributed utilizing QuirkyLoader embody Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger.
IBM X-Pressure, which detailed the malware, mentioned the assaults contain sending spam emails from each reliable e-mail service suppliers and a self-hosted e-mail server. These emails function a malicious archive, which comprises a DLL, an encrypted payload, and an actual executable.
“The actor makes use of DLL side-loading, a method the place launching the reliable executable additionally masses the malicious DLL,” safety researcher Raymond Joseph Alfonso mentioned. “This DLL, in flip, masses, decrypts, and injects the ultimate payload into its goal course of.”
That is achieved by utilizing course of hollowing to inject the malware into one of many three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.
The DLL loader, per IBM, has been utilized in restricted campaigns for the previous few months, with two campaigns noticed in July 2025 concentrating on Taiwan and Mexico.
The marketing campaign concentrating on Taiwan is alleged to have particularly singled out staff of Nusoft Taiwan, a community and web safety analysis firm primarily based in New Taipei Metropolis, with the purpose of infecting them with Snake Keylogger, which is able to stealing delicate info from fashionable internet browsers, keystrokes, and clipboard content material.
The Mexico-related marketing campaign, alternatively, is assessed to be random, with the an infection chains delivering Remcos RAT and AsyncRAT.
“The risk actor persistently writes the DLL loader module in .NET languages and makes use of ahead-of-time (AOT) compilation,” Alfonso mentioned. “This course of compiles the code into native machine code earlier than execution, making the ensuing binary seem as if it have been written in C or C++.”
New Phishing Tendencies
The event comes as risk actors are utilizing new QR code phishing (aka quishing) ways like splitting malicious QR codes into two components or embedding them inside reliable ones in e-mail messages propagated through phishing kits like Gabagool and Tycoon, respectively, to evade detection, demonstrating ongoing evolution.
“Malicious QR codes are fashionable with attackers for a number of causes,” Barracuda researcher Rohit Suresh Kanase mentioned. “They can’t be learn by people so do not increase any crimson flags, and so they can typically bypass conventional safety measures resembling e-mail filters and hyperlink scanners.”
“Moreover, since recipients typically have to modify to a cell system to scan the code, it will possibly take customers out of the corporate safety perimeter and away from safety.”
The findings additionally comply with the emergence of a phishing package utilized by the PoisonSeed risk actor to amass credentials and two-factor authentication (2FA) codes from people and organizations to achieve entry to victims’ accounts and use them to ship emails for finishing up cryptocurrency scams.
“The domains internet hosting this phishing package impersonate login providers from distinguished CRM and bulk e-mail firms like Google, SendGrid, Mailchimp, and sure others, concentrating on people’ credentials,” NVISO Labs mentioned. “PoisonSeed employs spear-phishing emails embedding malicious hyperlinks, which redirect victims to their phishing package.”
A noteworthy side of the package is the usage of a method generally known as precision-validated phishing through which the attacker validates an e-mail deal with in real-time within the background, whereas a faux Cloudflare Turnstile problem is served to the consumer. As soon as the checks are handed, a login type impersonating the reliable on-line platform seems, permitting the risk actors to seize submitted credentials after which relay them to the service.
