Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

CherryLoader Unveils Modular Malware

January 25, 2024
Reading Time: 3 mins read
in Alerts

Arctic Wolf Labs has identified a new threat in the wild known as CherryLoader, a malware loader built on Go that conceals its malicious intent by masquerading as the legitimate CherryTree note-taking application. The discovery emerged from recent intrusions, where CherryLoader was found to deliver additional payloads for subsequent exploitation on compromised systems. Notably, the loader employs an icon and name resembling CherryTree, aiming to deceive potential victims into unwittingly installing it.

The modus operandi of CherryLoader involves dropping privilege escalation tools, such as PrintSpoofer or JuicyPotatoNG, after successful installation. The researchers at Arctic Wolf Labs, including Hady Azzam, Christopher Prest, and Steven Campbell, detail that CherryLoader operates with a unique twist—it incorporates modularized features that allow threat actors to interchange exploits without the need for code recompilation. This adaptability provides a level of sophistication to the malware, enabling threat actors to stay agile and deploy alternative exploits seamlessly.

Despite the discovery of CherryLoader, the method of its distribution remains undisclosed. Examination of attack chains by the cybersecurity firm suggests that CherryLoader and its associated files are packaged within a RAR archive file hosted on a specific IP address. The archive file, named “Packed.rar,” contains executables such as “cherrytree.exe” and associated files like “NuxtSharp.Data,” “Spof.Data,” and “Juicy.Data.” The researchers emphasize the modular design of CherryLoader, noting that it leverages encryption methods and anti-analysis techniques to deploy various privilege escalation exploits without the need for recompiling any code.

In the intricate process, the RAR file also downloads an executable (“main.exe”) responsible for unpacking and launching the Golang binary. This binary execution proceeds only if a predefined MD5 password hash matches the first argument passed to it. The subsequent steps involve decryption, writing contents to files, and utilizing fileless techniques like process ghosting, adding layers of complexity to CherryLoader’s operation. The researchers conclude that CherryLoader represents a newly identified multi-stage downloader, showcasing its capacity to employ diverse encryption methods and anti-analysis techniques in an attempt to execute alternative privilege escalation exploits seamlessly.

 

Reference:
  • CherryLoader: A New Go-based Loader Discovered in Recent Intrusions
Tags: CherryLoaderCherryTreeCyber AlertCyber Alerts 2024Cyber RiskCyber threatJanuary 2024LoadersMalware
ADVERTISEMENT

Related Posts

Hackers Revive SEO Poisoning

Hackers Revive SEO Poisoning

July 10, 2025
Hackers Revive SEO Poisoning

RondoDox Botnet Exploits Router Flaws

July 10, 2025
Hackers Revive SEO Poisoning

ServiceNow Data Exposure via ACLs

July 10, 2025
Hackers Use Leaked Shellter License Malware

Windows BitLocker Vulnerability Flaw

July 9, 2025
Hackers Use Leaked Shellter License Malware

Hackers Use Leaked Shellter License Malware

July 9, 2025
Hackers Use Leaked Shellter License Malware

Anatsa Android Trojan Targets 90K Users

July 9, 2025

Latest Alerts

RondoDox Botnet Exploits Router Flaws

ServiceNow Data Exposure via ACLs

Hackers Revive SEO Poisoning

Windows BitLocker Vulnerability Flaw

Anatsa Android Trojan Targets 90K Users

Hackers Use Leaked Shellter License Malware

Subscribe to our newsletter

    Latest Incidents

    Bitcoin Depot Breach Exposes Data

    McDonald’s AI Hiring Bot Exposes Data

    Nippon Steel Solutions Data Breach

    Norwegian Municipalities Hit by Data Breach

    Credit Reports Breached And Sold On Dark Web

    Recruiting Software Exposed 26M Resumes

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial