New QuirkyLoader malware targets global victims with email attacks

Researchers have uncovered a new malware loader used in targeted email campaigns to deliver info-stealing malware and remote access trojans.

What happened

Since November 2024, cybercriminals have been using a new malware loader, dubbed QuirkyLoader, to distribute a range of malicious payloads through email spam campaigns. According to The Hacker News, the malware has delivered high-risk tools such as Agent Tesla, AsyncRAT, Snake Keylogger, Remcos RAT, Formbook, Masslogger, and Rhadamanthys Stealer.

Researchers analyzed the malware and found that attackers often send emails using both legitimate email services and self-hosted servers. These emails contain malicious archives with three elements: a legitimate executable, an encrypted payload, and a malicious DLL. The technique used is DLL side-loading, which executes the malicious DLL when the user launches the seemingly safe executable.

Going deeper

QuirkyLoader injects its final payload into legitimate Windows processes such as AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe, helping it evade detection. The loader itself is written in .NET and compiled ahead-of-time (AOT) into native machine code, giving it the appearance of a C or C++ binary, an effort to mislead reverse engineers and security software.

In July 2025, two targeted campaigns were observed:

• One attack focused on employees of Nusoft Taiwan, a cybersecurity firm in New Taipei City, using Snake Keylogger to collect keystrokes, browser data, and clipboard contents.
• The other targeted unspecified users in Mexico with Remcos RAT and AsyncRAT, though researchers consider it a less targeted campaign.
  
  

What was said

Hacker News explained that the malware’s use of legitimate processes and compiled binaries helps the final payload remain undetected. He also noted that the actor consistently writes the DLL loader in .NET and employs advanced evasion tactics.

Researchers also drew connections between these malware campaigns and broader phishing trends. New phishing kits and QR code-based attacks are evolving rapidly, using tactics like splitting QR codes or embedding malicious elements into trusted brands’ images to bypass traditional email filters.

FAQs

What makes DLL side-loading an effective technique for malware delivery?

DLL side-loading abuses the way Windows loads dynamic libraries by replacing or tricking legitimate executables into loading a malicious DLL. This helps the malware appear trustworthy to the system and avoid detection.

What is process hollowing, and how does QuirkyLoader use it?

Process hollowing is a method where malware starts a legitimate process in a suspended state, replaces its memory with malicious code, and resumes execution. QuirkyLoader uses this to inject its payload into trusted processes, masking its presence.

Why does QuirkyLoader use .NET with ahead-of-time (AOT) compilation?

Using .NET and AOT compilation, attackers create binaries that appear like native applications written in C or C++, complicating analysis and bypassing certain security tools that target typical .NET malware patterns.

How are QR code phishing attacks evolving alongside malware loaders?

Recent phishing kits embed malicious QR codes into emails or split them across images, making detection harder. They often force users onto mobile devices where corporate protections are weaker.

What is precision-validated phishing, and how does it work?

Precision-validated phishing checks the validity of an email address in real time before displaying a fake login page, often disguised with elements like a Cloudflare Turnstile. This ensures only real, high-value targets proceed to the phishing form, increasing the success rate of credential theft.