{
	"id": "6a89675e-114f-49ab-9ad9-ff50d94c4eb6",
	"created_at": "2026-04-06T00:19:26.433445Z",
	"updated_at": "2026-04-10T13:11:55.627265Z",
	"deleted_at": null,
	"sha1_hash": "298875efe6cd2cc453add94f79eff1c5a9b2e118",
	"title": "GitHub - yatt-ze/AbSent-Loader: Example Loader to be used as a learning resource for people interested in how commercially available malware is made on a very basic level",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50660,
	"plain_text": "GitHub - yatt-ze/AbSent-Loader: Example Loader to be used as a\r\nlearning resource for people interested in how commercially\r\navailable malware is made on a very basic level\r\nBy yatt-ze\r\nArchived: 2026-04-05 15:11:46 UTC\r\nExample Loader to be used as a learning resource for people interested in how commercially available malware is\r\nmade.\r\nJoin the discussion on discord: https://discord.gg/AMs6DA9\r\nDefinition of a loader\r\nA \"Loader\" or \"Dropper\" is a type of malware not dissimilar to a botnet, usually built on the same C\u0026C\r\narchitecture they lack some of the more advanced features a fully featured botnet might have and instead try to be\r\nas lightweight as possible to be used as the 1st stage in an attack.\r\nMany commercially available loaders extend their lifetime on the black market by going modular, providing\r\nupdates and plugins that extend the loaders capability and provide the seller a larger revenue stream by selling the\r\nplugins separately from the main \"Base\" bot, these usually include but not limited too:\r\nDDOS Functions\r\nPassword Stealing\r\nHRDP\r\nWeb Injects\r\nKeyloggers\r\nC\u0026C Architecture\r\nMany loaders and botnets, id say 90% nowadays use a PHP web panel for controlling the network, reasons being\r\nits easy to setup, provides a modest amount of security if done properly, and it looks pretty, allowing for graphs\r\nand maps of bots, nice pretty tables of executing tasks and client info, all makes a PHP panel for the C\u0026C\r\narchitecture a nice option, especially good for marketing (People like pretty things).\r\nUnfortunately, or fortunity depending on the color of your hat, these panels are usually rather insecure, vulnerable\r\nto SQL injection and XSS, allowing for easy takeovers and shutdowns. So easy I've knowen people to exclusively\r\nbuild their botnet from others vulnerable panels, stealing all their bots and running a \"Botkiller\", basically an\r\nantivirus built into the client designed to detect and kill any competing malware on the infected system.\r\nhttps://github.com/Tlgyt/AbSent-Loader\r\nPage 1 of 2\n\nThe architecture of these Php based control panels is very simple, they have a PHP file usually called something\r\nlike \"gate.php\" or something not so obvious like \"store.php\", this page is the contact point for the client. The client\r\nwill send a POST request (Some use GET ) to the page containing the clients' information, and the page will\r\nrespond with a command to execute. The way the commands are sent and phrased are different for every variant\r\nbut is usually done with JSON or plain text. If done properly the page will verify the client is legit and make sure\r\nthe supplied data isn't an XSS or an SQLi attack, and add it to the panel's database.\r\nThe Standard Client Loop\r\nThe client is what runs on an infected system, its job is simple, stay hidden and execute tasks.\r\nOn executing the client will try to \"Make itself at home\" that is, become persistent in the system, setting up\r\ndefences to stop itself being killed and making sure its run when the system turns on again, it will also attempt to\r\ncollect as much information about the computer it can, what version of the Operating System its running on, What\r\nprivileges it has, the username, etc. It then gathers all this Information and sends it off to the C\u0026C, receiving any\r\ntasks back and acting upon them. Some clients will try to be clever about the way it goes about this, commonly\r\nwaiting for a while before actually executing anything to seem less suspicious.\r\nAfterwards we enter the \"loop\" the client will go dormant for a set amount of time, usually around the 5 minute\r\nmark before reaching out for any new commands and letting the C\u0026C know its still alive. Reason being to lighten\r\nthe network load of the server and the infected system, the bigger the network, usually the longer the wait.\r\nDisclaimer: I do not accept responsibility for the misuse of provided code blah blah blah don't be a cunt\r\nSource: https://github.com/Tlgyt/AbSent-Loader\r\nhttps://github.com/Tlgyt/AbSent-Loader\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/Tlgyt/AbSent-Loader"
	],
	"report_names": [
		"AbSent-Loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434766,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/298875efe6cd2cc453add94f79eff1c5a9b2e118.pdf",
		"text": "https://archive.orkl.eu/298875efe6cd2cc453add94f79eff1c5a9b2e118.txt",
		"img": "https://archive.orkl.eu/298875efe6cd2cc453add94f79eff1c5a9b2e118.jpg"
	}
}