New .NET Multi-stage Loader Attacking Windows Systems to Deploy Malicious Payloads

While earlier variants embedded the second stage as hardcoded strings, newer versions have adopted more sophisticated concealment methods, hiding malicious code within bitmap resources to avoid triggering security alerts. A sophisticated .NET multi-stage malware loader has been actively targeting Windows systems since early 2022, serving as a distribution channel for dangerous payloads including information stealers and remote access trojans. Statistical analysis covering March 2022 through February 2025 shows consistent deployment patterns for these payloads, highlighting the loader’s reliability as a malware delivery mechanism for cybercriminals. The research team noted that the primary value of monitoring this loader lies in obtaining fresh samples and indicators of compromise rather than early detection of new malware families. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Their tracking revealed that despite frequent changes to the first two stages, the third stage maintains a relatively stable code structure, providing a consistent signature for detection. The impact of this loader has been significant across the cybersecurity landscape, with the malware predominantly distributing commodity threats including AgentTesla, Formbook, Remcos, and 404Keylogger. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This loader employs a complex three-stage deployment mechanism that helps it evade detection while delivering malicious software to compromised machines. This carefully orchestrated process demonstrates the sophisticated techniques modern malware employs to compromise systems while remaining undetected. The threat has been continuously evolving, with recent versions implementing more advanced obfuscation techniques to hide their activities from security solutions. The third stage then manages the deployment of the final payload in memory, completing the infection chain while minimizing detection risk. ThreatRay researchers identified this loader through code reuse analysis, establishing connections between approximately 20,000 samples collected over a three-year period. This evolution demonstrates the operators’ commitment to maintaining the loader’s effectiveness against modern security solutions. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The malware begins its infection chain with a seemingly innocuous .NET executable that contains encrypted components of subsequent stages.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 17:09:55 +0000