Analysis Summary

A sophisticated multi-stage .NET malware loader has been actively targeting Windows systems since early 2022, primarily serving as a delivery mechanism for various commodity malware threats, including AgentTesla, Formbook, Remcos, and 404Keylogger. This loader follows a three-stage deployment strategy designed to evade detection by modern security solutions.

The infection chain begins with a seemingly benign .NET executable that contains encrypted components of the following stages. Initially, the second-stage payload was embedded as hardcoded strings, but newer versions use advanced techniques, such as concealing malicious code within bitmap resources, to bypass signature-based detection.

The loader's execution flow is both intricate and stealthy. The first-stage executable decrypts and extracts data in memory before passing execution to the second stage, which is a .NET DLL. This DLL processes critical parameters, ResourceName, XORKey, and ModuleName to locate, extract, and decrypt a bitmap resource. Through a combination of arithmetic loops and sleep cycles to evade analysis, the loader converts this bitmap into a byte array, decrypts it using the provided XOR key, loads it as an assembly, and invokes specific methods to continue the infection process. This in-memory execution tactic significantly reduces the risk of being flagged by security tools.

Despite the loader’s constant evolution in the first and second stages, Researchers observed that the third stage maintains a stable structure. This consistency offers a reliable detection point even as attackers change the loader's early-stage techniques. Over 20,000 samples analyzed through code reuse and behavioral tracking over three years highlight the threat actors' continued investment in refining the loader while keeping its final delivery mechanism predictable and reusable. The shift from basic string-based payload storage to more covert bitmap-based concealment techniques underlines a strategic push toward evading behavioral and heuristic detection.

The loader has shown reliable distribution patterns across a wide timeframe, from March 2022 through February 2025, making it a favored tool among cybercriminals for spreading well-known info-stealers and RATs. Its effectiveness lies not only in delivering malware but in doing so consistently and covertly, making it difficult to detect in the early stages. While the loader itself may not represent a novel malware family, it is a critical enabler in the malware ecosystem. Security researchers emphasize the importance of monitoring such loaders, not just to block final payloads but also to identify fresh indicators of compromise (IOCs) and study the evolving tactics used by threat actors.

Impact

• Security Bypass
• Gain Access

Indicators of Compromise

SHA1

• 391e28e9b225852d465e929ab5e4eebc04e6379d
• 6e868c8e1f17b81b504847b788c25886c3bfb612
• a24284e0bc029af6a3cc60ddba343d2e5d1b031a
• 43afe956a33280c407cfa88720f96f3348d84ee0
• 20481b01f8dfe734b5fd632d08bcf3a0f147631d
• 169162aa4ac1764e051f1444bf22313e527eb5a0
• e9efd4edf31af061d899ec1ead04cd52a6cb134c
• 6120627aac623a38a6606aaccfacf8a40df8b412
• 3973b27e60663d3d65c678b64ec3ee9c5ff4f22e

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Use EDR/XDR solutions with behavioral analysis and memory scanning capabilities to detect in-memory execution and staged malware activity.
• Ensure all Windows systems, .NET runtimes, and software are up to date to minimize exploitation of known vulnerabilities.
• Set alerts for suspicious . NET-based processes or executables running from uncommon directories or with obfuscated resource calls.
• Analyze bitmap and other embedded resources in .NET binaries for hidden malicious payloads using sandboxing or static analysis tools.
• Continuously update firewalls, antivirus, and SIEM platforms with the latest indicators of compromise (file hashes, domains, IPs) from threat intel feeds.
• Limit user permissions to reduce the impact of malware execution and lateral movement across the network.
• Use secure email gateways and URL filtering to block malicious attachments and download links associated with loader campaigns.
• Proactively hunt for signs of loader activity in logs and memory to catch infections early, especially targeting processes with long sleep intervals and loop-based obfuscation.
• Restrict execution to approved applications only, preventing unauthorized .NET executables from running.