Cyble Research & Intelligence Labs recently identified a new malware-as-a-service (MaaS) offering called ManticoraLoader, which has been available on underground forums since August 2024. The malware, developed by the threat group DeadXInject, is being used to target Citrix users and is connected to previous malicious tools such as AresLoader and AiDLocker. DeadXInject, also responsible for attacking Citrix users in 2023, has returned with a stealthy, adaptable loader that poses a new threat in the cybersecurity landscape.
ManticoraLoader is a C-based malware built for Windows, starting from version 7 and including Windows Server. It has a specific module designed to gather information from infected devices, including IP addresses, usernames, system language, installed antivirus software, UUIDs, and date-time stamps. This data is sent back to a centralized control panel, helping attackers strategize further attacks and maintain control over compromised systems. The malware’s modular design allows additional features to be added upon request, making it highly adaptable.
The loader’s creators have incorporated advanced obfuscation techniques to evade detection by security solutions. Tests conducted by Cyble found that ManticoraLoader had a detection rate of 0/39 on Kleenscan, demonstrating its effectiveness in bypassing security defenses. It also includes a feature to place files in auto-start locations, ensuring persistence in infected systems. The malware is being offered for $500 per month, with exclusive access limited to just 10 clients, and deals are conducted through forums, Telegram, or TOX.
Despite being dormant for over a year, DeadXInject’s reappearance with ManticoraLoader signals an ongoing threat to organizations. The malware’s features, while similar to AresLoader, claim improved capabilities that could make it even harder to detect and mitigate. The continued use of AresLoader by cybercriminals, coupled with the emergence of ManticoraLoader, underscores the need for heightened security measures to protect against stealer and botnet infections targeting Citrix and other systems.
Reference:
