A new malware loader, QuirkyLoader, has been delivering a variety of malicious payloads through email spam campaigns since November 2024. The malware uses advanced techniques, such as DLL side-loading and process hollowing, to evade detection and infect targeted systems.
IBM X-Force researchers have identified a new malware loader, QuirkyLoader, which has been active since November 2024. The malware is distributed through email spam campaigns and is capable of delivering various malicious payloads, including information stealers and remote access trojans. The list of malware families distributed by QuirkyLoader includes Agent Tesla, AsyncRAT, Remcos RAT, and Snake Keylogger. The attackers use spam emails from legitimate and self-hosted email servers, attaching a malicious archive that contains a legitimate executable, a malicious DLL, and an encrypted payload. The DLL loader module is consistently written in .NET languages and uses ahead-of-time (AOT) compilation, which makes the resulting binary appear as though it were written in C or C++. This helps the malware bypass traditional security measures.
The attack process starts when a victim opens the malicious archive. The attackers use a technique called DLL side-loading, where the malicious DLL is loaded alongside the legitimate executable. This DLL then uses process hollowing to inject the final payload into one of three legitimate processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. Once the payload is injected, the malware can carry out its intended malicious activities, such as stealing sensitive information, logging keystrokes, or providing remote access to the attacker.
IBM has observed two limited campaigns in July 2025 where QuirkyLoader was used. One campaign targeted employees of Nusoft Taiwan, a network and internet security company, with the goal of infecting them with Snake Keylogger. The other campaign targeted individuals in Mexico, delivering Remcos RAT and AsyncRAT. These attacks show that the malware can be used for both specific, targeted attacks and random, opportunistic campaigns.
The emergence of QuirkyLoader highlights the continuous evolution of cyber threats. In addition to this new malware, threat actors are also using new QR code phishing (quishing) tactics to bypass email filters and link scanners. By splitting malicious QR codes into two parts or embedding them within legitimate ones, attackers make it harder for security tools to detect them. Attackers favor malicious QR codes because they cannot be read by humans and often require the user to switch to a mobile device, taking them out of the company’s security perimeter.
Another threat that has recently emerged is a phishing kit used by the PoisonSeed threat actor. This kit impersonates login services from prominent companies like Google, SendGrid, and Mailchimp to steal credentials and two-factor authentication (2FA) codes. PoisonSeed uses spear-phishing emails to redirect victims to their phishing kit, allowing the attackers to gain access to victims’ accounts and use them for cryptocurrency scams. The ongoing development of these various sophisticated threats, including QuirkyLoader, emphasizes the need for a multi-layered security approach to protect against a wide range of cyberattacks.
Reference:
