Skip to main content

“QuirkyLoader Unveiled A Modular Malware Loader Delivering Multi-Payload Attacks”

Redoracle TeamOriginal8/24/25About 7 minNews“quirkyloaderloaderdll-side-loadingprocess-hollowingaotdotnetpayloadssnake-keyloggerremcos-ratasyncratagent-teslaformbookmassloggerrhadamanthys-stealerphishingquishingqr-code-phishingemail-spamtargeted-campaignsibm-x-forcethreat-intelligencememory-residentnative-like-binariescredential-theftkeystrokedata-exfiltrationremote-access-trojan”

Image

Introduction

QuirkyLoader Unveiled A Modular Malware Loader Delivering Multi-Payload Attacks presents a concise and detailed picture of a modular loader observed since November 2024. This investigation synthesizes technical analysis and campaign reporting to explain how quirkyloader operates as a loader that leverages dll-side-loading, process-hollowing, aot compiled dotnet components and a flexible payload catalog that includes agent-tesla, asyncrat, snake-keylogger, remcos-rat, formbook, masslogger and rhadamanthys-stealer. The following material integrates threat-intelligence from ibm-x-force and related research while preserving evidence on email-spam delivery, targeted-campaigns, memory-resident execution, native-like-binaries appearance and high-level implications for credential-theft, keystroke capture and data-exfiltration.

Executive Overview

What QuirkyLoader Is and Why It Matters

  • QuirkyLoader is a modular loader used to deliver a variety of next-stage payloads through email-spam campaigns.
  • The loader is distributed inside malicious archives that contain a legitimate executable, a malicious DLL, and an encrypted payload.
  • The core execution chain relies on dll-side-loading to get the malicious DLL into memory and on process-hollowing to run the decrypted payload inside a legitimate process context.
  • Observed payloads include agent-tesla, asyncrat, snake-keylogger, remcos-rat, formbook, masslogger and rhadamanthys-stealer, enabling credential-theft, keystroke capture and remote-access-trojan capabilities.
  • Activity has been confirmed since November 2024 with focused campaigns noted in July 2025 and continued observations into August 2025.
  • Geographies of interest include Taiwan, where Nusoft Taiwan employees were targeted, and Mexico, where campaigns delivered remcos-rat and asyncrat.

Key Highlights

  • Modular loader architecture supports multiple payload families from a single delivery mechanism.
  • Delivery via archives attached to emails sent from both legitimate email service providers and self-hosted mail servers.
  • DLL loader implemented in dotnet and compiled ahead-of-time to produce native-like-binaries that hinder straightforward static analysis.
  • Injection targets include AddInProcess32.exe, InstallUtil.exe and aspnet_wp.exe to blend into legitimate process trees.
  • The overall campaign ecosystem overlaps with evolving phishing trends such as quishing and precision-validated phishing.

Detailed Analysis

Technical Mechanisms and Delivery Chain

Overview

  • QuirkyLoader uses a staged delivery. Spam email contains an archive that includes a genuine executable, a malicious DLL loader and an encrypted final payload.
  • When recipients execute the genuine executable, dll-side-loading causes the malicious DLL to be loaded by the executable.
  • The malicious DLL decrypts the embedded payload and uses process-hollowing to inject it into one of several process hosts, typically AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe.

Loader architecture and compilation

  • The DLL loader is written in dotnet languages and compiled with ahead-of-time techniques to produce native machine code. This yields a memory and file footprint that can appear similar to C or C++ binaries, complicating signature-based detection and some static analysis workflows.
  • The AOT compiled dotnet loader seeks to bridge the advantages of managed development with the stealth properties of native-looking binaries.

Execution workflow

  • Archive extracted by user or automated process
  • Legitimate executable launched, triggers DLL search and loads malicious DLL via dll-side-loading
  • DLL decrypts payload in memory and performs process-hollowing into a chosen host
  • Final payload lives in memory and executes in the context of the legitimate host to reduce visibility

Observability points for defenders

  • Unusual DLL loads by legitimate executables
  • Decryption routines engaged by DLLs at process start
  • Process-hollowing indicators and unexpected memory-resident execution within AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe

Payload Catalog and Capabilities

Payload families observed

  • Agent Tesla — credential and form grabber with exfiltration routines
  • AsyncRAT — remote access trojan used for persistence and command execution
  • Snake Keylogger — keystroke logging plus browser and clipboard theft
  • Remcos RAT — remote control and monitoring capabilities
  • Formbook — credential harvesting and data-stealing modules
  • Masslogger — credential and session harvesting
  • Rhadamanthys Stealer — targeted credential and cookie extraction

Operational intent

  • Credential-theft and account takeover
  • Keystroke monitoring and clipboard capture for sensitive data
  • Browser cookie and session theft enabling lateral fraud and account abuse
  • Persistent remote access enabling follow-on operations

Campaign Context and Geographic Targeting

Observed campaigns and timing

  • November 2024 — earliest observed deployments of the loader in the wild
  • July 2025 — two distinct campaigns documented by ibm-x-force
    • Taiwan campaign targeting Nusoft Taiwan employees with snake-keylogger
    • Mexico campaign distributing remcos-rat and asyncrat

Targeting profile

  • Campaigns exhibit a mix of targeted and opportunistic distribution modes
  • Taiwan-focused operation demonstrated selection of a security research firm staff as high-value targets
  • Mexico campaign appeared more broadly distributed but included similarly impactful payloads

Threat intelligence attribution and reporting

  • IBM X-Force supplied the primary technical analysis and campaign reporting
  • Security researchers, including Raymond Joseph Alfonso, provided commentary on the loader techniques and AOT use

Quishing and QR code abuse

  • Attackers increasingly weaponize QR codes as part of phishing flows, a trend commonly called quishing.
  • Techniques include splitting malicious QR data or nesting malicious QR codes inside legitimate codes to reduce detection by content filters and to encourage mobile-based interaction.

Precision-validated phishing

  • PoisonSeed style methods perform real-time address validation in the background while presenting a faux Cloudflare Turnstile challenge to victims. Post-validation flows show tailored impersonation of login services to harvest credentials and 2FA codes.
  • PoisonSeed and similar kits impersonate major CRM and bulk email vendors to harvest credentials that facilitate account takeover and financial fraud.

Tooling and kits referenced

  • Gabagool and Tycoon phishing kits have been noted for distributing quishing assets and credential harvesting links.
  • NVISO Labs and Barracuda research provide context on how these kits implement validation and redirection patterns that reduce simple blocklisting effectiveness.

Implications for Defenders

Detection challenges

  • AOT compiled dotnet loaders produce native-like-binaries that evade simple managed runtime heuristics.
  • Use of legitimate process hosts via process-hollowing obfuscates runtime behavior and complicates endpoint telemetry interpretation.
  • Encrypted payloads carried inside archives that also include genuine executables reduce the clarity of static archive scanning.

Recommended detection focus areas

  • Monitor DLL loads for unusual or unexpected modules loaded by typically benign executables
  • Correlate email-spam events that include archives containing DLL files and encrypted payload artifacts
  • Apply behavioral analytics to detect process-hollowing, memory-resident execution and anomalous imports in native-looking binaries
  • Increase scrutiny on QR-based interactions originating from email and cross-validate out-of-band QR flows

Operational considerations

  • Phishing resilience requires identity protection, 2FA hygiene and rapid detection of account anomalies following credential theft
  • Shared threat-intelligence and collaboration across vendors and researchers accelerates mapping of the quirkyloader campaign lifecycle

Campaign Timeline

  • November 2024
    • QuirkyLoader first observed delivering multiple payload families via email-spam.
  • July 2025
    • IBM X-Force reported two targeted campaigns.
    • Taiwan campaign targeted Nusoft Taiwan employees with Snake Keylogger.
    • Mexico campaign delivered Remcos RAT and AsyncRAT.
  • August 2025
    • Continued analysis and ecosystem reporting linked the loader activity with evolving phishing techniques including quishing and precision-validated phishing.

Stakeholders and References

Primary actors and contributors

  • IBM X-Force — provided detailed technical analysis and campaign reporting on QuirkyLoader.
  • Raymond Joseph Alfonso — cited for insights on dll-side-loading and loader behavior.
  • Nusoft Taiwan — identified target organization in Taiwan campaign.
  • PoisonSeed — actor or kit associated with precision-validated phishing and credential-theft flows.
  • Barracuda Research and NVISO Labs — provided context on quishing and phishing kit operations.
  • The Hacker News — reported ecosystem-level implications in August 2025.

Fact checking and primary sources

Evidence Summary

  • Observed artifacts and campaign telemetry indicate malicious archives delivered over email containing a legitimate executable, a malicious DLL loader and an encrypted payload.
  • DLL side-loading and process-hollowing observed as consistent operational patterns across campaigns.
  • AOT compiled dotnet loader modules yield native-like-binaries that complicate static detection and analysis.
  • Two July 2025 campaigns were documented: Taiwan targeting Nusoft Taiwan with snake-keylogger and Mexico distributing remcos-rat and asyncrat.

Recommendations for Detection Focus

  • Monitor for unusual or unexpected DLL loads in process trees for AddInProcess32.exe, InstallUtil.exe and aspnet_wp.exe.
  • Sandbox archive attachments that contain DLL files or encrypted payload components prior to user access.
  • Correlate email source reputations, especially when messages are delivered from legitimate email service providers but include suspicious archive contents.
  • Employ behavioral detection that flags process-hollowing patterns and memory-only payload execution rather than relying solely on file signatures.

Conclusion and Synthesis

QuirkyLoader functions as a flexible loader framework enabling distribution of a broad spectrum of payloads including agent-tesla, asyncrat, snake-keylogger, remcos-rat, formbook, masslogger and rhadamanthys-stealer. Its employment of dll-side-loading and process-hollowing, combined with dotnet AOT compilation to produce native-like-binaries, elevates the difficulty of detection and analysis. The July 2025 campaigns targeting Taiwan and Mexico underscore both targeted and opportunistic use, while the convergence with quishing and precision-validated phishing demonstrates a wider social engineering and delivery ecosystem. Defenders should approach quirkyloader with a multi-layered strategy that combines email hygiene, archive sandboxing and behavior-based endpoint monitoring focused on DLL load anomalies and memory-resident execution.

Detailed Appendix

Technical indicators and behavioral markers

  • Loader behavior to watch
    • dll-side-loading by legitimate executables
    • in-memory decryption of payloads
    • process-hollowing into AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe
  • Artifact characteristics
    • dotnet-based DLLs compiled with AOT producing native-like executables
    • Encrypted payload blobs embedded alongside genuine executables inside archives

Quotes and notable commentary

  • Raymond Joseph Alfonso, IBM X-Force: "The actor uses dll-side-loading, a technique where launching the legitimate executable also loads the malicious DLL."
  • Rohit Suresh Kanase, Barracuda Research: "Malicious QR codes cannot be read by humans and can bypass traditional security measures."

Event information

  • Reported discovery window: November 2024 to August 2025
  • Notable reporting dates: July 2025 campaign reporting by IBM X-Force; August 2025 coverage linking loader campaigns to broader quishing trends

Fact Checking and Further Reading

For deeper technical details and primary telemetry consult the following sources

Question for reader engagement

  • How does your organization correlate email archive sandboxing events with runtime DLL load telemetry to detect loaders similar to quirkyloader?

Image attribution

Summary statement

QuirkyLoader Unveiled A Modular Malware Loader Delivering Multi-Payload Attacks demonstrates a modular, adaptable loader that blends dll-side-loading, process-hollowing and dotnet AOT compilation to deliver a wide array of payloads. Its combination with evolving phishing trends such as quishing and precision-validated phishing amplifies credential-theft and remote-access-trojan risks across targeted-campaigns and broader opportunistic distributions.

Last Updated: