Hackers Using New QuirkyLoader Malware to Spread Agent Tesla, AsyncRAT and Snake Keylogger
Summary:
A new malware loader, dubbed “QuirkyLoader,” is being actively used to deploy next-stage payloads on targeted systems. These next-stage payloads range from information stealers to remote access trojans, including Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. QuickyLoader infection chains involve phishing emails containing malicious archive attachments. According to IBM X-Force researchers who uncovered details of the new loader, emails are sent using both legitimate email service providers and a self-hosted email server. The malicious archives typically contain three files: a legitimate executable, an encrypted payload, and a malicious DLL. The legitimate executable is used to load the malicious DLL, which in turn loads, decrypts, and injects the final payload into its target process (AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe) via process hollowing.
Security Officer Comments:
Binaries like QuirkyLoader act as a gateway for next-stage payload deployment. QuirkyLoader’s multi-chain infection chain and use of techniques like process hollowing and DLL sideloading, enable actors to distribute well-known malware families like Agent Tesla, AsyncRAT, and Remcos, while evading defenses. Although IBM X-Force notes that the DLL loader has been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico, we will likely see an increase in intrusions involving QuirkyLoader, as it gains traction within the cybercriminal community.
It is worth mentioning that QuirkyLoader’s DLL module is written in .NET languages and compiled ahead-of-time to disguise its true nature.
“QuirkyLoader's DLL module is consistently written in C# .NET. It is compiled using Ahead-of-Time (AOT) compilation, which compiles the C# code into Microsoft Intermediate Language (MSIL) first, and then compiles the MSIL into native machine code. This technique bypasses the traditional .NET method of first compiling code into Microsoft Intermediate Language (MSIL) and then using the Common Language Runtime (CLR) to translate it into native code. As a result, the final binary resembles a program written in C or C++,” note researchers in their blog post.
By making the binary resemble C or C++ native applications, this makes it more difficult to reverse engineer using traditional .NET tools and may avoid triggering AV/EDR solutions in place that focus on identifying .NET assemblies.
Suggested Corrections:
https://thehackernews.com/2025/08/hackers-using-new-quirkyloader-malware.html
A new malware loader, dubbed “QuirkyLoader,” is being actively used to deploy next-stage payloads on targeted systems. These next-stage payloads range from information stealers to remote access trojans, including Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. QuickyLoader infection chains involve phishing emails containing malicious archive attachments. According to IBM X-Force researchers who uncovered details of the new loader, emails are sent using both legitimate email service providers and a self-hosted email server. The malicious archives typically contain three files: a legitimate executable, an encrypted payload, and a malicious DLL. The legitimate executable is used to load the malicious DLL, which in turn loads, decrypts, and injects the final payload into its target process (AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe) via process hollowing.
Security Officer Comments:
Binaries like QuirkyLoader act as a gateway for next-stage payload deployment. QuirkyLoader’s multi-chain infection chain and use of techniques like process hollowing and DLL sideloading, enable actors to distribute well-known malware families like Agent Tesla, AsyncRAT, and Remcos, while evading defenses. Although IBM X-Force notes that the DLL loader has been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico, we will likely see an increase in intrusions involving QuirkyLoader, as it gains traction within the cybercriminal community.
It is worth mentioning that QuirkyLoader’s DLL module is written in .NET languages and compiled ahead-of-time to disguise its true nature.
“QuirkyLoader's DLL module is consistently written in C# .NET. It is compiled using Ahead-of-Time (AOT) compilation, which compiles the C# code into Microsoft Intermediate Language (MSIL) first, and then compiles the MSIL into native machine code. This technique bypasses the traditional .NET method of first compiling code into Microsoft Intermediate Language (MSIL) and then using the Common Language Runtime (CLR) to translate it into native code. As a result, the final binary resembles a program written in C or C++,” note researchers in their blog post.
By making the binary resemble C or C++ native applications, this makes it more difficult to reverse engineer using traditional .NET tools and may avoid triggering AV/EDR solutions in place that focus on identifying .NET assemblies.
Suggested Corrections:
- Block messages with executable attachments
- Avoid opening unexpected emails
- Avoid opening files that come from untrusted sources
- Keep security products up-to-date and properly configured
- Since the final payloads are typically infostealers and remote access tools, actively monitor and inspect outbound network traffic
- Closely monitor the behavior of the following legitimate processes, as they are common targets for process hollowing by QuirkyLoader:
- AddInProcess32.exe
- InstallUtil.exe
- aspnet_wp.exe
https://thehackernews.com/2025/08/hackers-using-new-quirkyloader-malware.html