{
	"id": "e0473d88-6689-4a15-a257-fb7fadef3751",
	"created_at": "2026-04-06T00:07:28.334356Z",
	"updated_at": "2026-04-10T03:36:00.153982Z",
	"deleted_at": null,
	"sha1_hash": "1bbb80319ed7ae7a96079008cbd95f0fcdac3f29",
	"title": "sLoad (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49802,
	"plain_text": "sLoad (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:27:44 UTC\r\nps1.sload (Back to overview)\r\nsLoad\r\naka: Starslord\r\nURLhaus    \r\nsLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy\r\nreconnaissance features. The malware gathers information about the infected system including a list of running\r\nprocesses, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and\r\ncheck the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.\r\nReferences\r\n2025-03-28 ⋅ Intrinsec ⋅ David Sardinha\r\nFrom espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025\r\nsLoad NetSupportManager RAT Remcos SmokeLoader\r\n2021-06-21 ⋅ Minerva Labs ⋅ Minerva Labs\r\nSload Targeting Europe Again\r\nsLoad\r\n2020-10-28 ⋅ Bitdefender ⋅ Ruben Andrei Condor\r\nA Decade of WMI Abuse – an Overview of Techniques in Modern Malware\r\nsLoad Emotet Maze\r\n2020-07-13 ⋅ ⋅ Cert-AgID ⋅ Cert-AgID\r\nCampagna sLoad v.2.9.3 veicolata via PEC\r\nsLoad\r\n2020-03-10 ⋅ ⋅ Cert-Pa ⋅ Cert-PA\r\nCampagna sLoad “Star Wars Edition” veicolata via PEC\r\nsLoad\r\n2020-01-21 ⋅ Microsoft ⋅ Microsoft Defender ATP Research Team\r\nsLoad launches version 2.0, Starslord\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload\r\nPage 1 of 2\n\nsLoad\r\n2019-12-13 ⋅ Threatpost ⋅ Tara Seals\r\nElegant sLoad Carries Out Spying, Payload Delivery in BITS\r\nsLoad\r\n2019-01-03 ⋅ Cybereason ⋅ Eli Salem, Lior Rochberger, Niv Yona\r\nLOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack\r\nsLoad\r\n2018-11-27 ⋅ Yoroi ⋅ Luca Mella, Luigi Martire\r\nThe SLoad Powershell Threat is Expanding to Italy\r\nsLoad\r\n2018-11-23 ⋅ Certego ⋅ Matteo Lodi\r\nSload hits Italy. Unveil the power of powershell as a downloader\r\nsLoad\r\n2018-10-25 ⋅ Sophia Brown\r\nNew sLoad malware downloader being leveraged by APT group TA554 to spread Ramnit\r\nsLoad\r\n2018-10-23 ⋅ Proofpoint ⋅ Proofpoint Staff\r\nsLoad and Ramnit pairing in sustained campaigns against UK and Italy\r\nsLoad\r\n2018-08-05 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez\r\nLet's Learn: Diving into the Latest \"Ramnit\" Banker Malware via \"sLoad\" PowerShell\r\nsLoad\r\n2018-05-19 ⋅ Xavier Mertens\r\nMalicious Powershell Targeting UK Bank Customers\r\nsLoad\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload"
	],
	"report_names": [
		"ps1.sload"
	],
	"threat_actors": [
		{
			"id": "a3808e4f-c7fd-4d25-aa84-aacc27061826",
			"created_at": "2023-01-06T13:46:39.316216Z",
			"updated_at": "2026-04-10T02:00:03.285437Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "MISPGALAXY:TA554",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9be98f84-4a93-41c7-90bd-3ea66ba5bfd7",
			"created_at": "2022-10-25T16:07:24.581954Z",
			"updated_at": "2026-04-10T02:00:05.040995Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "ETDA:TA554",
			"tools": [
				"DarkVNC",
				"Godzilla",
				"Godzilla Loader",
				"Gootkit",
				"Gootloader",
				"Gozi ISFB",
				"ISFB",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Nimnul",
				"Pandemyia",
				"PsiX",
				"PsiXBot",
				"Ramnit",
				"StarsLord",
				"Waldek",
				"Xswkit",
				"sLoad",
				"talalpek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434048,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1bbb80319ed7ae7a96079008cbd95f0fcdac3f29.pdf",
		"text": "https://archive.orkl.eu/1bbb80319ed7ae7a96079008cbd95f0fcdac3f29.txt",
		"img": "https://archive.orkl.eu/1bbb80319ed7ae7a96079008cbd95f0fcdac3f29.jpg"
	}
}