{
	"id": "abe91370-a6b0-4c70-bbbc-5aff66440027",
	"created_at": "2026-04-06T00:20:13.625729Z",
	"updated_at": "2026-04-10T03:20:41.025502Z",
	"deleted_at": null,
	"sha1_hash": "2051c939e1fab49e1b7f0eae014dc2327ab11fec",
	"title": "Elegant sLoad Carries Out Spying, Payload Delivery in BITS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 184818,
	"plain_text": "Elegant sLoad Carries Out Spying, Payload Delivery in BITS\r\nBy Tara Seals\r\nPublished: 2019-12-13 · Archived: 2026-04-05 19:12:47 UTC\r\nThe BITS file-transfer component of Windows as a key piece of sLoad’s attack methodology.\r\nA fresh analysis of the trojan sLoad sheds light on the growing trend of advanced malware “living off the land” of\r\na targeted system and successfully evading detection and carrying out malicious activities.\r\nSLoad is a PowerShell downloader type of malware and is known for its impressive reconnaissance tactics and\r\ntargeting efforts. But what makes it unique to researchers is an almost exclusive use of a legitimate Windows file\r\ntransfer utility for data exfiltration, payload fetching and command-and-control (C2) communications.\r\n“SLoad is just one example of the increasingly more prevalent threats that can perform most of their malicious\r\nactivities by simply living off the land,” wrote Sujit Magar, an APT researcher with Microsoft, in an analysis of\r\nthe malware posted on Thursday.\r\nFirst spotted in May 2018, sLoad has been seen delivering a variety of payloads, including the Ramnit and  Ursnif\r\nbanking trojans, Gootkit, DarkVNC and PsiXBot, among others. According to Magar, it uses the Background\r\nIntelligent Transfer Service (BITS) component of Windows as a key piece of its attack methodology.\r\nA hallmark of sLoad is its penchant for spying on system information and learning about a target before delivering\r\nits payload. According to a previous Proofpoint analysis, the malware gathers information about the infected\r\nsystem, including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. It\r\nwill also take screenshots of the target machine. By using loaders that can also assess infected systems, actors can\r\nselect their targets wisely and improve the quality of infected hosts, Proofpoint noted.\r\nIn Microsoft’s analysis, Magar said that sLoad abuses BITS as an alternative protocol to perform data exfiltration\r\nand most of its other malicious activities, “enabling the malware to evade defenders and protections that may not\r\nbe inspecting this unconventional protocol.”\r\nhttps://threatpost.com/sload-spying-payload-delivery-bits/151120/\r\nPage 1 of 3\n\nA BITS Player\r\nBITS allows the transfer of files using idle bandwidth, which increases the efficiency of a user’s internet\r\nconnection; legitimate users can thus make sure that certain services, such as VoIP calls or instant messaging, are\r\nprioritized in terms of bandwidth over file transfers. To carry out its functions, BITS creates self-contained “jobs”\r\nthat can be prioritized and queued up, designated as either downloads or uploads. When a job is successfully sent,\r\nthe receiving party sends back a file as a handshake response.\r\nThis process is perfect for sLoad, which infects victims using cascaded scripts, according to the Microsoft\r\nanalysis.\r\n“One script drops or downloads one or more scripts, passes control to one of these scripts, and repeats the process\r\nmultiple times until the final component is installed,” Magar explained. “In one campaign, the first-stage\r\nPowerShell code itself uses…a BITS job to download either the sLoad script and the C2 URL file, or the sLoad\r\ndropper PowerShell script [with the script and URL file embedded].”\r\nOnce installed, the sLoad PowerShell script (the final component) then continues to abuse BITS to carry out\r\nvarious nefarious activities. For instance, Magar said that it creates BITS download jobs to test its connections to\r\nC2 URLs to find one that’s active – it sends out jobs until it gets a response from a server.\r\n“It then saves the URL that responds in the form of a file…being downloaded as part of created BITS job,”\r\naccording to the research. “This ensures that the handshake is complete.”\r\nOnce the C2 connection is established, sLoad proceeds to carry out its recon activities; it collects the system\r\ninformation mentioned earlier, then creates a BITS download job using the URL for the active C2 (in BITS, this\r\ngoes into the “RemoteURL” parameter – i.e., the destination for the file transfer). sLoad also embeds the stolen\r\nsystem information into that same parameter.\r\n“Creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system\r\ninformation stands out and is relatively easy to detect,” Magar said. “However, this malware’s use of a download\r\njob instead of an upload job is a clever move to achieve stealth.”\r\nOnce the malware sends off the BITS download job, it will receive a response in the form of a file downloaded\r\nback to the machine – and this is an opportunity for the C2 to send over additional payloads.\r\n“The malware creates another BITS download job to download this payload, creates a copy of this newly\r\ndownloaded encoded file, and uses another Windows utility, certutil.exe, to decode it into a portable executable\r\n(PE) file with .exe extension,” according to the analysis. “Finally, it uses PowerShell.exe to run the decoded PE\r\npayload. One more BITS download job is created to download additional files.”\r\nFor the screenshot function, sLoad uses a BITS upload job to send the stolen screenshots to the active C2.\r\n“This is the only time that it uses an upload job, and these are the only files it uploads to the C2,” Mager said.\r\n“Once uploaded, the screenshots are deleted from the machine.”\r\nIn all, sLoad’s use of BITS is an elegant way to evade detection, according to Magar.\r\nhttps://threatpost.com/sload-spying-payload-delivery-bits/151120/\r\nPage 2 of 3\n\n“sLoad is…a dangerous threat that’s equipped with notorious spyware capabilities, infiltrative payload delivery\r\nand data exfiltration capabilities,” the analysis concluded. “While it drops some malware files during installation,\r\nits use of only BITS jobs to perform most of its harmful behaviors and scheduled tasks for persistence achieves an\r\nalmost fileless presence on compromised machines.”\r\nFree Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on\r\nthird-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th\r\n at 2 pm EST as Threatpost\r\nlooks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon\r\nInstitute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.\r\nSource: https://threatpost.com/sload-spying-payload-delivery-bits/151120/\r\nhttps://threatpost.com/sload-spying-payload-delivery-bits/151120/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/sload-spying-payload-delivery-bits/151120/"
	],
	"report_names": [
		"151120"
	],
	"threat_actors": [],
	"ts_created_at": 1775434813,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2051c939e1fab49e1b7f0eae014dc2327ab11fec.pdf",
		"text": "https://archive.orkl.eu/2051c939e1fab49e1b7f0eae014dc2327ab11fec.txt",
		"img": "https://archive.orkl.eu/2051c939e1fab49e1b7f0eae014dc2327ab11fec.jpg"
	}
}