“QuirkyLoader Unveiled A Modular Malware Loader Delivering Multi-Payload Attacks”
Introduction
QuirkyLoader Unveiled A Modular Malware Loader Delivering Multi-Payload Attacks presents a concise and detailed picture of a modular loader observed since November 2024. This investigation synthesizes technical analysis and campaign reporting to explain how quirkyloader operates as a loader that leverages dll-side-loading, process-hollowing, aot compiled dotnet components and a flexible payload catalog that includes agent-tesla, asyncrat, snake-keylogger, remcos-rat, formbook, masslogger and rhadamanthys-stealer. The following material integrates threat-intelligence from ibm-x-force and related research while preserving evidence on email-spam delivery, targeted-campaigns, memory-resident execution, native-like-binaries appearance and high-level implications for credential-theft, keystroke capture and data-exfiltration.
Executive Overview
What QuirkyLoader Is and Why It Matters
- QuirkyLoader is a modular loader used to deliver a variety of next-stage payloads through email-spam campaigns.
- The loader is distributed inside malicious archives that contain a legitimate executable, a malicious DLL, and an encrypted payload.
- The core execution chain relies on dll-side-loading to get the malicious DLL into memory and on process-hollowing to run the decrypted payload inside a legitimate process context.
- Observed payloads include agent-tesla, asyncrat, snake-keylogger, remcos-rat, formbook, masslogger and rhadamanthys-stealer, enabling credential-theft, keystroke capture and remote-access-trojan capabilities.
- Activity has been confirmed since November 2024 with focused campaigns noted in July 2025 and continued observations into August 2025.
- Geographies of interest include Taiwan, where Nusoft Taiwan employees were targeted, and Mexico, where campaigns delivered remcos-rat and asyncrat.
Key Highlights
- Modular loader architecture supports multiple payload families from a single delivery mechanism.
- Delivery via archives attached to emails sent from both legitimate email service providers and self-hosted mail servers.
- DLL loader implemented in dotnet and compiled ahead-of-time to produce native-like-binaries that hinder straightforward static analysis.
- Injection targets include AddInProcess32.exe, InstallUtil.exe and aspnet_wp.exe to blend into legitimate process trees.
- The overall campaign ecosystem overlaps with evolving phishing trends such as quishing and precision-validated phishing.
Detailed Analysis
Technical Mechanisms and Delivery Chain
Overview
- QuirkyLoader uses a staged delivery. Spam email contains an archive that includes a genuine executable, a malicious DLL loader and an encrypted final payload.
- When recipients execute the genuine executable, dll-side-loading causes the malicious DLL to be loaded by the executable.
- The malicious DLL decrypts the embedded payload and uses process-hollowing to inject it into one of several process hosts, typically AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe.
Loader architecture and compilation
- The DLL loader is written in dotnet languages and compiled with ahead-of-time techniques to produce native machine code. This yields a memory and file footprint that can appear similar to C or C++ binaries, complicating signature-based detection and some static analysis workflows.
- The AOT compiled dotnet loader seeks to bridge the advantages of managed development with the stealth properties of native-looking binaries.
Execution workflow
- Archive extracted by user or automated process
- Legitimate executable launched, triggers DLL search and loads malicious DLL via dll-side-loading
- DLL decrypts payload in memory and performs process-hollowing into a chosen host
- Final payload lives in memory and executes in the context of the legitimate host to reduce visibility
Observability points for defenders
- Unusual DLL loads by legitimate executables
- Decryption routines engaged by DLLs at process start
- Process-hollowing indicators and unexpected memory-resident execution within AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe
Payload Catalog and Capabilities
Payload families observed
- Agent Tesla — credential and form grabber with exfiltration routines
- AsyncRAT — remote access trojan used for persistence and command execution
- Snake Keylogger — keystroke logging plus browser and clipboard theft
- Remcos RAT — remote control and monitoring capabilities
- Formbook — credential harvesting and data-stealing modules
- Masslogger — credential and session harvesting
- Rhadamanthys Stealer — targeted credential and cookie extraction
Operational intent
- Credential-theft and account takeover
- Keystroke monitoring and clipboard capture for sensitive data
- Browser cookie and session theft enabling lateral fraud and account abuse
- Persistent remote access enabling follow-on operations
Campaign Context and Geographic Targeting
Observed campaigns and timing
- November 2024 — earliest observed deployments of the loader in the wild
- July 2025 — two distinct campaigns documented by ibm-x-force
- Taiwan campaign targeting Nusoft Taiwan employees with snake-keylogger
- Mexico campaign distributing remcos-rat and asyncrat
Targeting profile
- Campaigns exhibit a mix of targeted and opportunistic distribution modes
- Taiwan-focused operation demonstrated selection of a security research firm staff as high-value targets
- Mexico campaign appeared more broadly distributed but included similarly impactful payloads
Threat intelligence attribution and reporting
- IBM X-Force supplied the primary technical analysis and campaign reporting
- Security researchers, including Raymond Joseph Alfonso, provided commentary on the loader techniques and AOT use
Phishing Ecosystem and Emerging Evasion Trends
Quishing and QR code abuse
- Attackers increasingly weaponize QR codes as part of phishing flows, a trend commonly called quishing.
- Techniques include splitting malicious QR data or nesting malicious QR codes inside legitimate codes to reduce detection by content filters and to encourage mobile-based interaction.
Precision-validated phishing
- PoisonSeed style methods perform real-time address validation in the background while presenting a faux Cloudflare Turnstile challenge to victims. Post-validation flows show tailored impersonation of login services to harvest credentials and 2FA codes.
- PoisonSeed and similar kits impersonate major CRM and bulk email vendors to harvest credentials that facilitate account takeover and financial fraud.
Tooling and kits referenced
- Gabagool and Tycoon phishing kits have been noted for distributing quishing assets and credential harvesting links.
- NVISO Labs and Barracuda research provide context on how these kits implement validation and redirection patterns that reduce simple blocklisting effectiveness.
Implications for Defenders
Detection challenges
- AOT compiled dotnet loaders produce native-like-binaries that evade simple managed runtime heuristics.
- Use of legitimate process hosts via process-hollowing obfuscates runtime behavior and complicates endpoint telemetry interpretation.
- Encrypted payloads carried inside archives that also include genuine executables reduce the clarity of static archive scanning.
Recommended detection focus areas
- Monitor DLL loads for unusual or unexpected modules loaded by typically benign executables
- Correlate email-spam events that include archives containing DLL files and encrypted payload artifacts
- Apply behavioral analytics to detect process-hollowing, memory-resident execution and anomalous imports in native-looking binaries
- Increase scrutiny on QR-based interactions originating from email and cross-validate out-of-band QR flows
Operational considerations
- Phishing resilience requires identity protection, 2FA hygiene and rapid detection of account anomalies following credential theft
- Shared threat-intelligence and collaboration across vendors and researchers accelerates mapping of the quirkyloader campaign lifecycle
Campaign Timeline
- November 2024
- QuirkyLoader first observed delivering multiple payload families via email-spam.
- July 2025
- IBM X-Force reported two targeted campaigns.
- Taiwan campaign targeted Nusoft Taiwan employees with Snake Keylogger.
- Mexico campaign delivered Remcos RAT and AsyncRAT.
- August 2025
- Continued analysis and ecosystem reporting linked the loader activity with evolving phishing techniques including quishing and precision-validated phishing.
Stakeholders and References
Primary actors and contributors
- IBM X-Force — provided detailed technical analysis and campaign reporting on QuirkyLoader.
- Raymond Joseph Alfonso — cited for insights on dll-side-loading and loader behavior.
- Nusoft Taiwan — identified target organization in Taiwan campaign.
- PoisonSeed — actor or kit associated with precision-validated phishing and credential-theft flows.
- Barracuda Research and NVISO Labs — provided context on quishing and phishing kit operations.
- The Hacker News — reported ecosystem-level implications in August 2025.
Fact checking and primary sources
- IBM X-Force threat intelligence hub — https://www.ibm.com/security/xforce
- Barracuda Research and Threat Radar — https://www.barracuda.com
- NVISO Labs — https://www.nviso.be
- The Hacker News coverage for related reporting — https://thehackernews.com
Evidence Summary
- Observed artifacts and campaign telemetry indicate malicious archives delivered over email containing a legitimate executable, a malicious DLL loader and an encrypted payload.
- DLL side-loading and process-hollowing observed as consistent operational patterns across campaigns.
- AOT compiled dotnet loader modules yield native-like-binaries that complicate static detection and analysis.
- Two July 2025 campaigns were documented: Taiwan targeting Nusoft Taiwan with snake-keylogger and Mexico distributing remcos-rat and asyncrat.
Recommendations for Detection Focus
- Monitor for unusual or unexpected DLL loads in process trees for AddInProcess32.exe, InstallUtil.exe and aspnet_wp.exe.
- Sandbox archive attachments that contain DLL files or encrypted payload components prior to user access.
- Correlate email source reputations, especially when messages are delivered from legitimate email service providers but include suspicious archive contents.
- Employ behavioral detection that flags process-hollowing patterns and memory-only payload execution rather than relying solely on file signatures.
Conclusion and Synthesis
QuirkyLoader functions as a flexible loader framework enabling distribution of a broad spectrum of payloads including agent-tesla, asyncrat, snake-keylogger, remcos-rat, formbook, masslogger and rhadamanthys-stealer. Its employment of dll-side-loading and process-hollowing, combined with dotnet AOT compilation to produce native-like-binaries, elevates the difficulty of detection and analysis. The July 2025 campaigns targeting Taiwan and Mexico underscore both targeted and opportunistic use, while the convergence with quishing and precision-validated phishing demonstrates a wider social engineering and delivery ecosystem. Defenders should approach quirkyloader with a multi-layered strategy that combines email hygiene, archive sandboxing and behavior-based endpoint monitoring focused on DLL load anomalies and memory-resident execution.
Detailed Appendix
Technical indicators and behavioral markers
- Loader behavior to watch
- dll-side-loading by legitimate executables
- in-memory decryption of payloads
- process-hollowing into AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe
- Artifact characteristics
- dotnet-based DLLs compiled with AOT producing native-like executables
- Encrypted payload blobs embedded alongside genuine executables inside archives
Quotes and notable commentary
- Raymond Joseph Alfonso, IBM X-Force: "The actor uses dll-side-loading, a technique where launching the legitimate executable also loads the malicious DLL."
- Rohit Suresh Kanase, Barracuda Research: "Malicious QR codes cannot be read by humans and can bypass traditional security measures."
Event information
- Reported discovery window: November 2024 to August 2025
- Notable reporting dates: July 2025 campaign reporting by IBM X-Force; August 2025 coverage linking loader campaigns to broader quishing trends
Fact Checking and Further Reading
For deeper technical details and primary telemetry consult the following sources
- IBM X-Force threat intelligence hub — https://www.ibm.com/security/xforce
- Barracuda threat research and blog — https://www.barracuda.com
- NVISO Labs research archives — https://www.nviso.be
- The Hacker News coverage on related topics — https://thehackernews.com
Question for reader engagement
- How does your organization correlate email archive sandboxing events with runtime DLL load telemetry to detect loaders similar to quirkyloader?
Image attribution
- Header image used from the article asset bucket located at https://storage.googleapis.com/red_articles/“quirkyloader-unveiled-a-modular-malware-loader-delivering-multi-payload-attacks”.png
Summary statement
QuirkyLoader Unveiled A Modular Malware Loader Delivering Multi-Payload Attacks demonstrates a modular, adaptable loader that blends dll-side-loading, process-hollowing and dotnet AOT compilation to deliver a wide array of payloads. Its combination with evolving phishing trends such as quishing and precision-validated phishing amplifies credential-theft and remote-access-trojan risks across targeted-campaigns and broader opportunistic distributions.