Cybersecurity researchers have revealed details of a new malware loader called QuirkyLoader, which has been used via email spam campaigns since November 2024, from information steelers to remote access trojans.
Notable malware families distributed using QuirkyLoader include agents Tesla, Asyncrat, Formbook, MassLogger, Remcos Rat, Rhadamanthys Stealer, and Snake Keylogger.
IBM X-Force, detailing the malware, said the attack involves sending spam emails from both legitimate email service providers and self-hosted email servers. These emails feature malicious archives containing DLLs, encrypted payloads, and actual executables.
“The actors use DLL sideloading, a technology that also loads malicious DLLs by launching legal executables,” said security researcher Raymond Joseph Alfonso. “This DLL in turn injects, decodes, and injects the final payload into the target process.”
This is achieved by injecting malware into one of three processes using process hollow: addinProcess32.exe, installutil.exe, or aspnet_wp.exe.
DLL loaders per IBM have been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico.
The Taiwan-targeted campaign is said to have specifically selected employees of Nusoft Taiwan, a network and internet security research company based in New Taipei, with the aim of infecting Snake Keylogger, which can steal sensitive information from popular web browsers, keystrokes and clipboard content.
Meanwhile, Mexico-related campaigns are rated random, with infection chains offering Remcos Rat and Asyncrat.
“Threat Actor writes DLL loader modules consistently in the .NET language and uses predecessor (AOT) compilation,” Alfonso said. “This process will display as if you had compiled your code into native machine code before running and the resulting binary was written in C or C++.”
New Fishing Trends
The development uses new QR code phishing (aka Quishing) tactics by threat subjects, which splits malicious QR codes into two parts, or embeds them in legitimate QR codes in email messages that are detected via propaggets via phishing kits such as Gabagool or Tycoon, demonstrating ongoing evolution.
“Malicious QR codes are popular with attackers for several reasons,” said Rohit Suresh Kanase, a researcher at Barracuda. “They should not raise the red flag because they cannot be read by humans. They can often bypass traditional security measures such as email filters and link scanners.”
“In addition, recipients often need to switch to mobile devices to scan the code, allowing users to move away from the company’s security perimeter and from protection.”
The findings also follow the emergence of phishing kits that venom threat actors use to obtain qualifications and two-factor authentication (2FA) codes from individuals and organizations, access victims’ accounts, and send emails to carry out cryptocurrency fraud.
“The domains that host this phishing kit are targeting individual qualifications, impersonating login services from prominent CRMs and bulk mail companies such as Google, SendGrid, and MailChimp,” NVISO Labs said. “Poisonseed employs spear phishing emails that embed malicious links, redirecting victims to a phishing kit.”
A notable aspect of the kit is the use of a technique known as precision verification phishing, in which attackers validate email addresses in real time in the background. Once the check is passed, you will be presented with a login form impersonating a legitimate online platform, allowing the threat actor to capture the submitted credentials before relaying them to the service.
Source link
