{
	"id": "fe7c2de5-d5ce-4413-9f28-1e178f6d84a5",
	"created_at": "2026-04-06T00:12:10.594516Z",
	"updated_at": "2026-04-10T03:30:33.275207Z",
	"deleted_at": null,
	"sha1_hash": "074ba53412d9668ba3a6b38e234c7a49cf964a86",
	"title": "PrivateLoader: the loader of the prevalent ruzki PPI service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1161024,
	"plain_text": "PrivateLoader: the loader of the prevalent ruzki PPI service\r\nBy Pierre Le Bourhis,\u0026nbsp;Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-09-15 · Archived: 2026-04-05 18:30:49 UTC\r\nTable of contents\r\nBackground\r\nIntroduction\r\nPrivateLoader, a widespread loader in the PPI landscape \r\nTechnical analysis\r\nCommunications\r\nPrivateLoader infrastructure\r\nMalware distributed by PrivateLoader\r\nRuzki, a popular Pay-Per-Install service\r\nWhat is the ruzki Pay-per-Install service?\r\nPrivateLoader’s association with the ruzki Pay-per-Install service\r\nStatistic URLs of PrivateLoader in publications of ruzki service\r\nRedline campaigns associated to Ruzki botnets\r\nA perfect timing\r\nConclusion\r\nMITRE ATT\u0026CK TTPs\r\nAnnex\r\nIoCs\r\nBackground\r\nPay-Per-Install (PPI) is a malware service widely used in the cybercrime ecosystem that monetises the installation of\r\nmalicious software. As generally observed, a malware operator provides a Pay-per-Install service operator with a\r\npayload, a requested number of installations, and a target geographical location. The service operators are then\r\nresponsible for distributing the malware sample based on the customer’s request, and for which they will be paid. Actors\r\nselling “installs” play a key role in the distribution of threats, as well as the underground economy.\r\nTo run this service, Pay-per-Install operators use tools to monitor the number of installations, location of infected hosts,\r\nand other valuable installations-related information. For the most premium services, actors also operate a modular\r\nloader enabling management of additional payloads, customising the attack chain, improving the rate of successful\r\ncompromise by reducing the detection of payloads.\r\nWhile most Pay-per-Install services use their own traffic distribution network, some purchase traffic generation services,\r\nsuch as those offered by traffers teams, to ensure wide and fast distribution of malware samples.\r\nIntroduction\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 1 of 15\n\nSekoia.io observed that PrivateLoader is one of the most widely used loaders in 2022. It is used by a Pay-Per-Install\r\nservice to deploy multiple malicious payloads on the infected hosts.\r\nFirst observed in May 2021, PrivateLoader is a modular malware whose main capability is to download and execute\r\none or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports\r\nstatistics to its C2 server.\r\nSEKOIA analysts tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth\r\nanalysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.\r\nThe threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and\r\ntheir Telegram channels under the name ruzki or zhigalsz since at least May 2021. Their business model consists in\r\nselling bundles of thousand installations, located on systems all over the world, or specifically in Europe or in the\r\nUnited States.\r\nOur investigations on Dark Web forums allow us to assess with high confidence that PrivateLoader is the proprietary\r\nloader of the ruzki PPI malware service.\r\nPrivateLoader, a widespread loader in the PPI landscape \r\nPrivateLoader is a downloader malware family first publicly reported in February 2022 by Intel471. The loader is used as\r\npart of a PPI service, to deliver payloads of multiple malware families operated by several threat actors or intrusion sets.\r\nFollowing is an overview of the PrivateLoader malware capabilities, infrastructure and malware involved in its\r\ncampaigns.\r\nTechnical analysis\r\nPrivateLoader is a modular C++ loader composed of three modules, including the loader to load the Core module, the\r\nCore module contacting the Command and Control (C2) to get the URL to download the next payload, and the Service\r\nmodule ensuring persistence.\r\nPrivateLoader’s main purpose is to provide an environment where the next payload is downloaded and executed. To be\r\nagnostic, the malware does not embed the next stage, the loader downloads the next payload based on its configuration.\r\nThe downloaded payload is obfuscated by customised operations developed by the author and detailed later. \r\nPrivateLoader core module offers the following functionalities:\r\nStack string obfuscation;\r\nHost fingerprint (used for victim statistic on the C2 panel);\r\nNext stage payload download over HTTPS and execution;\r\nAnti-analysis techniques.\r\nExecution of some samples highlight the presence of specifics Tactics, Techniques and Procedures (TTPs)\r\n[https://tria.ge/220717-gpte2ahcbp, https://tria.ge/220826-kv1m3saahk]:\r\nImpair defenses (disables Windows Defender Real Time protection);\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 2 of 15\n\nThe loader has its own Command and Control, used to gather victim statistics and to send next stage URLs via multiple\r\ndead drop resolvers.\r\nPrivateLoader’s main use consists in loading one or several third party malware. To do so, the loader contacts hardcoded\r\nURLs which are obfuscated in the PE, it then requests the URL(s) that returns a dead drop resolver, subsequently used to\r\nget another URL hosting the next stage payload.\r\nAfter downloading the next stage, PrivateLoader deobfuscates its content using byte replacement based on the following\r\ntable:\r\nOriginal Byte Replacement byte\r\n0x00 0x80\r\n0x80 0x0a\r\n0x0a 0x01\r\n0x01 0x05\r\n0x05 0xde\r\n0xde 0xfd\r\n0xfd 0xff\r\n0xff  0x55\r\n0x55 0x00\r\nTable 1 : Byte replacement table\r\nAfter the bytes substitution, the loader xors the payload content with the key `0x9d`. The downloaded deobfuscated file\r\nstarts with a magic that is removed before executing the valid PE. A script to extract obfuscated payload is provided in\r\nthe annex.\r\nCommunications\r\nThe communication of PrivateLoader is split in three parts:\r\n1. The malware deobfuscates one or several embedded URL(s) not controlled by the attacker (tactic of dead drop\r\nresolver);\r\n2. It requests the embedded URL, the response is in plaintext and follows this format: `HOST:\u003cC2 IP address\u003e`;\r\n3. The infected host then requests the C2 over HTTP on a unique endpoint `/base/api/statistics.php`, the response\r\ncontains the final payload URL obfuscated using XOR operation;\r\n4. Eventually, the malware downloads the next payload again, obfuscated with a different algorithm.\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 3 of 15\n\nFigure 1. PrivateLoader communication overview\r\nImage 2: PrivateLoader core module network communication overview\r\nWhile the Dead Drop Resolver technique used by PrivateLoader can leverage legitimate websites such as Pastebin, the\r\nmalware can also use proprietary servers with URLs like `/servers.txt` and `/proxies.txt`. In the latter Dead Drop\r\nResolver option, C2 IP is drowned in a list of IP addresses, the correct one is obfuscated by scrambling.\r\nThe communication with PrivateLoader C2 is obfuscated xoring the HTTP body with the key `0x6d`, a technique\r\nconsistently observed across all campaigns.\r\nSEKOIA observed that PrivateLoader operators changed their final payload hosting provider over the summer, shifting\r\nfrom Discord attachments to vk.com documents to host the downloaded payload. It is possible that PrivateLoader\r\ncustomers are able to provide their own server to host the payload. As increasingly used by several malware as C2 or as a\r\nfiles hoster, Discord is now under more scrutiny. It is possible this increased monitoring was a driver for PrivateLoader’s\r\nrecent hosting shift. \r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 4 of 15\n\nFigure 3. Domains hosting final payload downloaded by PrivateLoader observed in between 15 August and 3 September\r\n2022\r\nAfter downloading the next stage, if the core module is not configured to set up the service module, communication with\r\nthe PrivateLoader Core module is cancelled. Core module allows two configurations, the first one will contact the C2 to\r\nload the Service module, the second configuration downloads other malwares and ends its activity, all remaining\r\ncommunication in this specific configuration belongs to the next stage. SEKOIA observed the second behaviour as the\r\nmost widespread among campaigns involving PrivateLoader malware. \r\nPrivateLoader infrastructure\r\nThe infrastructure hosts the C2 servers used by PrivateLoader operators to manage their service. PrivateLoader samples\r\ncommunicate with these C2 servers to retrieve and exfiltrate data, as previously detailed in the analysis.\r\nAt the time of writing, SEKOIA observed 4 currently active C2 servers:\r\nIP address ASN Country Active since\r\n79.174.12.174 RU-JSCIOT (29182) Russia 2021-06-30\r\n91.240.85.160 RU-JSCIOT (29182) Russia 2021-08-31\r\n212.193.30.115 AS_DELIS (211252) Czechia  2022-07-26\r\n167.235.29.244 HETZNER-AS (24940) Germany 2022-09-04\r\nTable 2. Active C2 servers on 6 September, 2022\r\nRequests on publicly exposed endpoints (see the Part “Statistic URLs of PrivateLoader in publications of ruzki service”)\r\nsuggest that all IP addresses redirect to the same C2. This information is valuable in associating the exclusive use of\r\nPrivateLoader to a specific PPI service.\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 5 of 15\n\nTo proactively track the PrivateLoader servers, we identified a heuristic based on the characteristic HTTP response and\r\nthe HTTP headers on port 80. The servers respond in 200 with a HTML page entitled “404 not found” containing\r\n“(Ubuntu) Server at“, with PHP server headers.\r\nSEKOIA also track PrivateLoader servers by searching for the specific PrivateLoader URLs (/base/api/getData.php and\r\n/base/api/statistics.php) and their administration panel.\r\nMonitoring the PrivateLoader infrastructure, we observed over 30 unique C2 servers. The volume of malicious traffic\r\ngenerated by these servers suggests that the servers are fastly detected by security vendors. Moreover, it is highly likely\r\nthat the servers are eventually shut down if they are not provided by a bulletproof host.\r\nMalware distributed by PrivateLoader\r\nIn last weeks’ campaigns SEKOIA observed, the following malware families were actively distributed by PrivateLoader\r\npayloads:\r\nInformation stealers: Redline, Vidar, Raccoon, Eternity, Socelars, Fabookie, YTStealer, AgentTesla, Phoenix and\r\nother uncategorized stealers.\r\nRansomware: Djvu.\r\nBotnet: Danabot, SmokeLoader.\r\nMiners: XMrig and other uncategorized stealers.\r\nOther commodity malware: DcRAT, Glupteba, Netsupport, and Nymaim variant.\r\nPrivateLoader distribution of malware families is documented in Intel471 and Bitsight reports, respectively over the\r\ncourse of September-January 2021, and July-August 2022.\r\nBased on the wide selection of malware families, which implies a wide range of threat actors or intrusion sets\r\noperating this malware, the PPI service running PrivateLoader is very attractive and popular to attackers on\r\nunderground markets.\r\nRuzki, a popular Pay-Per-Install service\r\nSEKOIA observed that PrivateLoader is one of the most widespread loaders in 2022. To better understand the spread of\r\nPrivateLoader, we must consider the PPI service associated with the loader.\r\nSEKOIA investigations on Dark Web forums led us to take a closer look at the ruzki PPI malware service. Our\r\nobservations from ruzki customer publications, botnets delivered by PrivateLoader and ruzki messages allowed us to find\r\nevidence to link this PPI service and the loader.\r\nAfter a brief description of the ruzki service, we present how we have associated this PPI service to the PrivateLoader\r\nmalware.\r\nWhat is the ruzki Pay-per-Install service?\r\nThe ruzki PPI service consists of selling bundles of a thousand installations located on systems all over the world, or\r\nespecially in Europe or in the United States.\r\nSince May 2021, the ruzki (aka les0k, zhigalsz) profile advertised the PPI service under the same name on the Lolz Guru\r\ncybercrime forum. Their publications include pricing information, number of installs per day the service can afford for\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 6 of 15\n\none customer, and the traffic source. Similar publications are frequently posted by the same profile on the Telegram\r\nchannel (t[.]me/ZHIGALSZinstalls) associated with the services.\r\nFigure 4. Les0k’s publication related to ruski’s PPI service pricing on 1 September, 2022 (source: Lolz Guru)\r\nOn 1 September, 2022, buying 1,000 installations on infected systems:\r\nWorldwide (also called Mix world installs) costs $70;\r\nLocated in Europe costs $300;\r\nLocated in the United States costs $1,000.\r\nAll prices are degressive based on the quantity.\r\nRuzki threat actor recommends customers to buy unique installs packages for higher output. Indeed, a single classic\r\ninstallation can be sold to several customers, making the output of the compromise low for them. While unique installs\r\nare sold to a single customer. The exploitation of these installations is therefore more profitable since the customer has\r\nexclusive access.\r\nAt its launch, the service could offer up to 20,000 installations per day. As of today, we have not found numbers on the\r\ncurrent capabilities of the PPI service. The traffic generation relies on an affiliate network that represented, in May 2021,\r\n800 webmasters leveraging multiple infection chains. SEKOIA suspects that one or more traffers teams are behind these\r\nwebmasters.\r\nSEKOIA analysts were able to establish ruzki’s PPI modus operandi based on customers’ feedback, notably shared\r\nthrough screenshots of their conversations with the ruzki PPI service operator. On another note, most of the feedback was\r\nwritten following the ruzki operator on their Telegram channel.\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 7 of 15\n\nFigure 5. Ruzki service operator post requesting feedback in their Telegram channel 30 mai\r\n(traduction du message)\r\nBelow is an outline of the service, as observed by SEKOIA:\r\nStep 1: The malware operator willing to distribute its payload contacts the ruzki service’s operator on Telegram\r\n(t[.]me/zhigalsz), providing its requested number of installs and the target geographical location.\r\nStep 2: The PPI service’s operator sets the price of the request, and provides the malware operator with a cryptocurrency\r\nwallet address.\r\nStep 3: The malware operator provides a proof of the transfer (oftentimes a screenshot of a cryptocurrency application)\r\nto conclude the financial transaction, and supplies the payload it wants to distribute.\r\nStep 4: The ruski service’s operator shares a password-protected link to follow statistics on the number of installs related\r\nto the customer’s payload.\r\nStep 5: Webmasters are responsible for distributing the customer payload.\r\nFurther analysis of the ruzki PPI service allowed SEKOIA to establish a link with PrivateLoader.\r\nPrivateLoader’s association with the ruzki Pay-per-Install service\r\nSeveral observations allow us to associate with a high level of confidence the PrivateLoader as the main tool of the ruzki\r\nPPI service.\r\nStatistic URLs of PrivateLoader in publications of ruzki service\r\nIn recent months, malware operators who subscribed to the ruzki service shared screenshots of conversation with ruzki.\r\nThese conversations contain a URL provided by the PPI service operator to its customers to monitor statistics related to\r\ntheir campaign of installations.\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 8 of 15\n\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 9 of 15\n\nFigure 6. Capture of the conversation between a customer of the ruzki PPI service and ruzki (source: Lolz Guru)\r\nThese URLs match those of the PrivateLoader C2 servers and the endpoint /links/stats matches that of a PrivateLoader\r\nC2 server.\r\nIP addresses mentioned by ruzki\r\ncustomers\r\nPrivateLoader C2 in SEKOIA.IO CTI\r\n45.144.225[.]243 on May 30, 2022 Active since 2021, until August 26, 2022\r\n212.193.30[.]115 on August 24, 2022\r\nActive since July 17, 2022, and still active at moment of\r\nwriting\r\nTable 3. IP addresses mentioned by ruzki PPI customers and retrieved via SEKOIA C2 Trackers\r\nRedline campaigns associated to Ruzki botnets\r\nWhile tracking PrivateLoader, we retrieved multiple PrivateLoader samples downloading the Redline information stealer\r\nas a final payload. We were able to associate a majority of retrieved Redline’s samples to PrivateLoader-loaded botnets,\r\nincluding ruzki9, nam6.2, cryptex, @forceddd_lzt, ruzki, don_karl_installs, 3108_RUZKI, persom, 2007329039 and\r\nriii_ff.\r\nWhile evidence is very thin at this stage to formally associate these Redline botnets to ruzki, several botnets’ names\r\nsuggest some sort of connection to the threat actor. One hypothesis is that ruzki’s customers could name their botnet\r\nbased on the PPI service they use to distribute their samples. Another hypothesis is that ruzki operates the Redline\r\nmalware in parallel to the PPI service activity.\r\nRegardless of the operators behind the Redline samples, it is yet another indication of a likely connection between\r\nPrivateLoader and ruzki.\r\nA perfect timing\r\nThe ruzki operator was active on Telegram and Russian-speaking underground forums since at least May 2021:\r\nThe profile les0k advertising the ruzki PPI service joined Lolz Guru on May 1, 2021;\r\nzhigalsz, the first Telegram channel associated with the service was created on May 7, 2021.\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 10 of 15\n\nAdditionally, Intel471 assesses that PrivateLoader is used since at least May 2021. Building upon previously outlined\r\nobservations, this increases our confidence in associating PrivateLoader with the ruzki PPI service.\r\nIn addition to the URLs shared to ruzki customers and Redline botnets named using “ruzki”, we observed that the ruzki\r\noperator uses the term “our loader” in Russian on its Telegram channel.\r\nRuzki’s publication in Telegram channel associated with the service, on 16 February, 2022:\r\nУ нас своя сеть вебмастеров и мы являемсяклиенты, хочу вам соотрафика. Также наш лоадер каждый день\r\nчистится и отстук около 80%. (Translated from Russian: We have our own network of webmasters and we are clients,\r\nI want you to cooperate. Also, our loader is cleaned every day and the turnover is around 80%.)\r\nMoreover, we identified a single botnet associated with all the PrivateLoader C2 servers. SEKOIA therefore assess with\r\nhigh confidence that PrivateLoader is the proprietary loader of the ruzki PPI malware service.\r\n The spread of PrivateLoader could therefore be explained by the following elements:\r\nThe popularity of the associated service among threat actors (competitive pricing, good service and support,\r\naccessibility to less experienced threat actors and intrusion sets);\r\nA distribution of PrivateLoader oriented on the quantity of installations, rather than on the quality;\r\nA good coverage of this threat within SEKOIA, and more generally within the cybersecurity community.\r\nConclusion\r\nPay-per-Install services always played a key role in the distribution of commodity malware, and more generally in the\r\nincrease of the threat surface exposure. While the cybercrime ecosystem related to PPI services is constantly evolving\r\nwith new threat actors and emerging malware, the ruzki Pay-per-Install service using PrivateLoader is established for\r\nover a year.\r\nPrivateLoader became one of the most widespread loaders used for a PPI service in 2022. This downloader malware is\r\nused to deliver multiple malware including information stealers, ransomware, botnets and miners. Tracking\r\nPrivateLoader provides an interesting insight into prevalent commodity malware in the cybercriminal landscape, as\r\nwell as uncovering unidentified and emerging malware. As yet another turnkey solution lowering the cost of entry into\r\nthe cybercriminal market and a service contributing to a continuous professionalisation of the cybercriminal\r\necosystem, it is highly likely more PrivacyLoader-related activity will be observed in the short term.\r\nTo provide our customers with actionable intelligence, SEKOIA analysts will continue to track PrivateLoader C2\r\ninfrastructure, analyse malware technical evolution and monitor the ruzki Pay-per-Install service and their customers.\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique\r\nCommand and Control T1001 – Data Obfuscation\r\nCommand and Control T1071.001 – Application Layer Protocol: Web Protocols\r\nCommand and Control T1102.001 – Web Service: Dead Drop Resolver\r\nCommand and Control T1105 – Ingress Tool Transfer\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 11 of 15\n\nCommand and Control T1132 – Data Encoding\r\nCommand and Control T1568 – Dynamic Resolution\r\nCommand and Control T1573.001 – Encrypted Channel: Symmetric Cryptography\r\nDefence Evasion T1027 – Obfuscated Files or Information\r\nResource Development T1608.001 – Stage Capabilities: Upload Malware\r\nTable 4: Mitre Att\u0026ck TTPs\r\nAnnex\r\nPython script to deobfuscate payload dropped by PrivateLoader:\r\nimport sys\r\nfrom copy import copy\r\ndef deobfuscate(filename: str) -\u003e None:\r\n \r\n print(f\"deobfuscates privateloader file: `{filename}`\")\r\n with open(filename, \"rb\" )as f:\r\n data = bytearray(f.read())\r\n data2 = copy(data)\r\n data2 = replace_all(data, data2, 0x00, 0x80)\r\n data2 = replace_all(data, data2, 0x80, 0x0a)\r\n data2 = replace_all(data, data2, 0x0a, 0x01)\r\n data2 = replace_all(data, data2, 0x01, 0x05)\r\n data2 = replace_all(data, data2, 0x05, 0xde)\r\n data2 = replace_all(data, data2, 0xde, 0xfd)\r\n data2 = replace_all(data, data2, 0xfd, 0xff)\r\n data2 = replace_all(data, data2, 0xff, 0x55)\r\n data2 = replace_all(data, data2, 0x55, 0x00)\r\n \r\n unxored = bytearray()\r\n for byte in data2:\r\n unxored.append(byte ^ 0x9d)\r\n with open(f\"unxored-{filename}\", \"wb\") as f:\r\n f.write(unxored[4:])\r\n print(f\"unxored privateloader payload dumped in `unxored-{filename}` file\")\r\ndef replace_all(data: bytearray, data2: bytearray, x: int, y: int) -\u003e bytearray:\r\n print(f\"replace all {hex(x)} by {hex(y)}\")\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 12 of 15\n\nfor index, byte in enumerate(copy(data)):\r\n if byte == x:\r\n data2[index] = y\r\n return data2\r\n \r\nif __name__ == \"__main__\":\r\n deobfuscate(sys.argv[1])\r\nIoCs\r\nThe list of IoCs is available on SEKOIA github repository.\r\nIOC Context Link\r\nhxxp://212.193.30[.]115/base/api/getData.php PrivateLoader C2 app.sekoia.io\r\nhxxp://212.193.30[.]115/base/api/statistics[.]php PrivateLoader C2 app.sekoia.io\r\nhxxp://116.203.105[.]117/base/api/getData.php PrivateLoader C2 app.sekoia.io\r\nhxxp://212.193.30[.]115/service/communication.php PrivateLoader C2 app.sekoia.io\r\nhxxps://pastebin[.]com/raw/A7dSG1te\r\nPrivateLoader Dead Drop\r\nResolver\r\napp.sekoia.io\r\nhxxp://163.123.143[.]4/proxies.txt\r\nPrivateLoader Dead Drop\r\nResolver\r\napp.sekoia.io\r\nhxxp://107.182.129[.]251/server.txt\r\nPrivateLoader Dead Drop\r\nResolver\r\napp.sekoia.io\r\nhxxp://wfsdragon[.]ru/api/setStats.php PrivateLoader C2 app.sekoia.io\r\nTable 5: PrivateLoader Infrastructure\r\nIOC Link\r\n6c9223f75d2cca77fc09fbce2e76034326718c4daab02abc1e4f7caefefbcbc5 app.sekoia.io\r\n2048e7a38a3f8b52bb3e47435ec8ed42dc531446af7a02f76a7f8f79665610de app.sekoia.io\r\n6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae app.sekoia.io\r\na0d021d03af4e6a87890bd0fb929e7f8ed83e08d73a0521c25957ad29cce2381 app.sekoia.io\r\n0e14021b3594a5a54254d4f1cdf374dcf6650d71111f3dcf616f7043d7b2fba3 app.sekoia.io\r\ne2c2d8bf5451525085df47bbb63776fffa381823cf591de29f8dfc692c36d42d app.sekoia.io\r\n21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421 app.sekoia.io\r\nTable 6: PrivateLoader hashes\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 13 of 15\n\nIOC Malware Link\r\nhxxp://linislominyt11[.]at SmokeLoader app.sekoia.io\r\nhxxps://oshi[.]at/Kaqm Agent Tesla app.sekoia.io\r\nhxxp://89.185.85[.]53/ Raccoon Stealer app.sekoia.io\r\nhxxp://146.70.87[.]133/ Raccoon Stealer app.sekoia.io\r\n5.182.36[.]101:31305 RedLine app.sekoia.io\r\n138.201.195[.]134:3202 RedLine app.sekoia.io\r\n109.107.181[.]244:41535 RedLine app.sekoia.io\r\n193.124.22[.]24:18114 RedLine app.sekoia.io\r\n193.124.22[.]24:18114 RedLine app.sekoia.io\r\n103.89.90[.]61:12036 RedLine app.sekoia.io\r\n185.215.113[.]55:1591 RedLine app.sekoia.io\r\n185.106.92[.]20:33168 RedLine app.sekoia.io\r\n107.189.31[.]171:80 Vidar app.sekoia.io\r\nTable 7: C2 of the payload dropped by PrivateLoader\r\nIOC Malware Link\r\n392049ce2edacaef91a29eb0ef2b7b9927a82550b592dedf725a33b6cfdd2381 DcRAT app.sekoia.io\r\nff3ae8fff0d1862d4bde8f61e0ed14ef76d6d2cc6d940bb83dc0b4cfdacc2752 YTStealer app.sekoia.io\r\n456a46109fb5c42e3223592853934a52aa1cebeae6757e0e3792282c07750f32\r\nNetSupport\r\nRAT\r\napp.sekoia.io\r\n866918dce85cab2200a0d271a8d6e7669296890d2d32ec3bea2fc78c6778a037\r\nNetSupport\r\nRAT\r\napp.sekoia.io\r\n27d2943e3dc87f5bfaf314dbf2b50dad4563b53515d471f398b81d5fe8b7a8fe RedLine app.sekoia.io\r\nab0e35830bdaf3502d037d059b50f1e10c8283f5300565d6fb311d0827ac6ae8 RedLine app.sekoia.io\r\n88c7dbb90db43f552465fb2b3a2c036f5c906cf2c8f14b80ee3cab8eee52d31d RedLine app.sekoia.io\r\n52651bd3091f375b41b38aeeffd45d4df8fe0b1763fb6788756b473e6f96b5e2 RedLine app.sekoia.io\r\n99d207e9df203331c4849506693c351f777ace02a0ddebce2e3296bd79d3b081 RedLine app.sekoia.io\r\n75c9e2a6c3d9196c4ea851f90401d6b9acae07489a41d462a462e42f26780215 RedLine app.sekoia.io\r\n202d14ca71ba0a0d0cd06d3bb0da7a4b74c5a3de429420d6c0a0b766b81cc4cc RedLine app.sekoia.io\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 14 of 15\n\nde017a6129651d442c3e3c25c7f137d1da4264bd8cde6f67a7ed575d1001128a RedLine app.sekoia.io\r\nbe30847b4cf9553f18b98e00e5cdcbecf099cf0369a5f95ca1057b3f122f7185 RaccoonStealer app.sekoia.io\r\nExternal References\r\nhttps://intel471.com/blog/privateloader-malware\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nRead other contents :\r\nCTI Cybercrime Dark Web\r\nShare this post:\r\nSource: https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nhttps://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/"
	],
	"report_names": [
		"privateloader-the-loader-of-the-prevalent-ruzki-ppi-service"
	],
	"threat_actors": [
		{
			"id": "3fad11c6-4336-4b28-a606-f510eca5452e",
			"created_at": "2022-10-25T16:07:24.346573Z",
			"updated_at": "2026-04-10T02:00:04.948823Z",
			"deleted_at": null,
			"main_name": "Turbine Panda",
			"aliases": [
				"APT 26",
				"Black Vine",
				"Bronze Express",
				"Group 13",
				"JerseyMikes",
				"KungFu Kittens",
				"PinkPanther",
				"Shell Crew",
				"Taffeta Typhoon",
				"Turbine Panda",
				"WebMasters"
			],
			"source_name": "ETDA:Turbine Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Hurix",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mivast",
				"PlugX",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"Sogu",
				"StreamEx",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"cobeacon",
				"ffrat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434330,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/074ba53412d9668ba3a6b38e234c7a49cf964a86.pdf",
		"text": "https://archive.orkl.eu/074ba53412d9668ba3a6b38e234c7a49cf964a86.txt",
		"img": "https://archive.orkl.eu/074ba53412d9668ba3a6b38e234c7a49cf964a86.jpg"
	}
}