Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

QuirkyLoader Spreads RATs, Keyloggers

August 21, 2025
Reading Time: 3 mins read
in Alerts
GenAI Used by Hackers for Phishing

A new malware loader, QuirkyLoader, has been delivering a variety of malicious payloads through email spam campaigns since November 2024. The malware uses advanced techniques, such as DLL side-loading and process hollowing, to evade detection and infect targeted systems.

IBM X-Force researchers have identified a new malware loader, QuirkyLoader, which has been active since November 2024. The malware is distributed through email spam campaigns and is capable of delivering various malicious payloads, including information stealers and remote access trojans. The list of malware families distributed by QuirkyLoader includes Agent Tesla, AsyncRAT, Remcos RAT, and Snake Keylogger. The attackers use spam emails from legitimate and self-hosted email servers, attaching a malicious archive that contains a legitimate executable, a malicious DLL, and an encrypted payload. The DLL loader module is consistently written in .NET languages and uses ahead-of-time (AOT) compilation, which makes the resulting binary appear as though it were written in C or C++. This helps the malware bypass traditional security measures.

The attack process starts when a victim opens the malicious archive. The attackers use a technique called DLL side-loading, where the malicious DLL is loaded alongside the legitimate executable. This DLL then uses process hollowing to inject the final payload into one of three legitimate processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. Once the payload is injected, the malware can carry out its intended malicious activities, such as stealing sensitive information, logging keystrokes, or providing remote access to the attacker.

IBM has observed two limited campaigns in July 2025 where QuirkyLoader was used. One campaign targeted employees of Nusoft Taiwan, a network and internet security company, with the goal of infecting them with Snake Keylogger. The other campaign targeted individuals in Mexico, delivering Remcos RAT and AsyncRAT. These attacks show that the malware can be used for both specific, targeted attacks and random, opportunistic campaigns.

The emergence of QuirkyLoader highlights the continuous evolution of cyber threats. In addition to this new malware, threat actors are also using new QR code phishing (quishing) tactics to bypass email filters and link scanners. By splitting malicious QR codes into two parts or embedding them within legitimate ones, attackers make it harder for security tools to detect them. Attackers favor malicious QR codes because they cannot be read by humans and often require the user to switch to a mobile device, taking them out of the company’s security perimeter.

Another threat that has recently emerged is a phishing kit used by the PoisonSeed threat actor. This kit impersonates login services from prominent companies like Google, SendGrid, and Mailchimp to steal credentials and two-factor authentication (2FA) codes. PoisonSeed uses spear-phishing emails to redirect victims to their phishing kit, allowing the attackers to gain access to victims’ accounts and use them for cryptocurrency scams. The ongoing development of these various sophisticated threats, including QuirkyLoader, emphasizes the need for a multi-layered security approach to protect against a wide range of cyberattacks.

Reference:

  • Hackers Deploy QuirkyLoader to Distribute Agent Tesla, AsyncRAT, and Snake Keylogger
Tags: August 2025Cyber AlertsCyber Alerts 2025CyberattackCybersecurity
ADVERTISEMENT

Related Posts

Smishing targets routers in Belgium 2025

Smishing targets routers in Belgium 2025

October 2, 2025
Smishing targets routers in Belgium 2025

Outlook Bug Causes Repeated Crashes

October 2, 2025
Smishing targets routers in Belgium 2025

MatrixPDF Toolkit Turns PDFs Into Lures

October 2, 2025
Microsoft Sentinel Unveils AI SIEM

Apple Pushes iPhone and Mac Updates

October 1, 2025
Microsoft Sentinel Unveils AI SIEM

Tesla Fixes TCU Bug With USB Risk

October 1, 2025
Microsoft Sentinel Unveils AI SIEM

EvilAI Malware Posing As AI Tools

October 1, 2025

Latest Alerts

Outlook Bug Causes Repeated Crashes

Smishing targets routers in Belgium 2025

MatrixPDF Toolkit Turns PDFs Into Lures

Tesla Fixes TCU Bug With USB Risk

Apple Pushes iPhone and Mac Updates

EvilAI Malware Posing As AI Tools

Subscribe to our newsletter

    Latest Incidents

    Allianz Life July Breach Hits 1.5M

    Dealership Software Breach Hits 766k

    Suffolk Website Down After Cyber-Attack

    WestJet Confirms Data Breach

    Ransomware Gang Recruits Reporter

    US Surveillance Hack Exposes Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial