Researchers have uncovered a new malware loader used in targeted email campaigns to deliver info-stealing malware and remote access trojans.
Since November 2024, cybercriminals have been using a new malware loader, dubbed QuirkyLoader, to distribute a range of malicious payloads through email spam campaigns. According to The Hacker News, the malware has delivered high-risk tools such as Agent Tesla, AsyncRAT, Snake Keylogger, Remcos RAT, Formbook, Masslogger, and Rhadamanthys Stealer.
Researchers analyzed the malware and found that attackers often send emails using both legitimate email services and self-hosted servers. These emails contain malicious archives with three elements: a legitimate executable, an encrypted payload, and a malicious DLL. The technique used is DLL side-loading, which executes the malicious DLL when the user launches the seemingly safe executable.
QuirkyLoader injects its final payload into legitimate Windows processes such as AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe, helping it evade detection. The loader itself is written in .NET and compiled ahead-of-time (AOT) into native machine code, giving it the appearance of a C or C++ binary, an effort to mislead reverse engineers and security software.
In July 2025, two targeted campaigns were observed:
Hacker News explained that the malware’s use of legitimate processes and compiled binaries helps the final payload remain undetected. He also noted that the actor consistently writes the DLL loader in .NET and employs advanced evasion tactics.
Researchers also drew connections between these malware campaigns and broader phishing trends. New phishing kits and QR code-based attacks are evolving rapidly, using tactics like splitting QR codes or embedding malicious elements into trusted brands’ images to bypass traditional email filters.
DLL side-loading abuses the way Windows loads dynamic libraries by replacing or tricking legitimate executables into loading a malicious DLL. This helps the malware appear trustworthy to the system and avoid detection.
Process hollowing is a method where malware starts a legitimate process in a suspended state, replaces its memory with malicious code, and resumes execution. QuirkyLoader uses this to inject its payload into trusted processes, masking its presence.
Using .NET and AOT compilation, attackers create binaries that appear like native applications written in C or C++, complicating analysis and bypassing certain security tools that target typical .NET malware patterns.
Recent phishing kits embed malicious QR codes into emails or split them across images, making detection harder. They often force users onto mobile devices where corporate protections are weaker.
Precision-validated phishing checks the validity of an email address in real time before displaying a fake login page, often disguised with elements like a Cloudflare Turnstile. This ensures only real, high-value targets proceed to the phishing form, increasing the success rate of credential theft.