By rssfeeds-admin This multi-stage threat demonstrates advanced evasion techniques and targets victims through carefully crafted email campaigns containing malicious archives.
Advanced DLL Side-Loading Technique Evades Detection
QuirkyLoader employs a sophisticated infection chain that begins when victims open malicious archive files attached to spam emails.
The archive contains three critical components: a legitimate executable, an encrypted payload disguised as a DLL, and a malicious DLL loader module.
The threat actors leverage DLL side-loading, a technique where executing the legitimate executable automatically loads the malicious DLL alongside it.
What makes QuirkyLoader particularly concerning is its use of ahead-of-time (AOT) compilation for its .NET-based DLL modules.
This process compiles C# code directly into native machine code, bypassing the traditional .NET compilation method and making the resulting binary appear as though it were written in C or C++.
This technique effectively disguises the malware’s true nature from security tools designed to detect .NET assemblies.
The malware demonstrates technical sophistication in its decryption methods, with one variant utilizing the rarely-seen Speck-128 cipher with Counter mode to decrypt payloads.
Once decrypted, QuirkyLoader performs process hollowing on legitimate Windows processes, including AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe, to inject the final malicious payload.
Targeted Campaigns Hit Taiwan and Mexico
Recent campaigns observed in July 2025 revealed QuirkyLoader’s targeted approach. In Taiwan, threat actors specifically targeted employees of Nusoft Taiwan, a network and internet security research company, distributing Snake Keylogger infostealer.
Meanwhile, a separate campaign in Mexico randomly targeted individuals with both Remcos RAT and AsyncRAT payloads.
IBM X-Force’s investigation uncovered related network infrastructure centered around the domain catherinereynolds[.]info, which resolves to IP address 157[.]66[.]225[.]11 and hosts a Zimbra web client. Further analysis revealed additional related IP addresses sharing similar SSL certificates and hosting configurations.
Mitigation Strategies Critical for Defense
Security experts recommend that organizations implement several defensive measures against QuirkyLoader threats.
These include blocking emails with executable attachments, avoiding unexpected email attachments from untrusted sources, and maintaining updated security configurations.
Given that final payloads typically consist of infostealers and remote access tools, organizations should actively monitor outbound network traffic and closely observe the behavior of commonly targeted legitimate processes that QuirkyLoader exploits for process hollowing.
The emergence of QuirkyLoader represents a significant evolution in malware delivery techniques, combining legitimate tools with advanced compilation methods to evade detection while distributing established threat families.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post QuirkyLoader – The New Malware Loader Spreading Infostealers and Remote Access Trojans appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.