{
	"id": "401eae27-0f3e-44d6-98ff-03ce2a3ab6df",
	"created_at": "2026-04-06T00:22:21.491142Z",
	"updated_at": "2026-04-10T03:20:41.046527Z",
	"deleted_at": null,
	"sha1_hash": "2cac938e942dcb86b183c337b9633af65e7154eb",
	"title": "TinyLoader Malware: Crypto Theft \u0026 C2 Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 693711,
	"plain_text": "TinyLoader Malware: Crypto Theft \u0026 C2 Infrastructure\r\nPublished: 2025-09-02 · Archived: 2026-04-05 18:58:36 UTC\r\nMalware loaders have become a common part of today’s cybercrime operations because they give attackers a\r\nreliable way to get into systems and then bring in whatever tools they need. TinyLoader is one of these loaders. It\r\nhas been linked to stealing cryptocurrency and delivering other malware like Redline Stealer and DCRat.\r\nOur investigation started with activity from IP address 176.46.152.47. What first looked like a single suspicious\r\nhost turned out to be part of a wider TinyLoader setup spread across several countries.\r\nIn this report we follow that trail, from the first indicator through to the panels, payloads, and infrastructure behind\r\nthe operation, and share insights that can help defenders detect and block it.\r\nKey Takeaways\r\nTinyLoader installs both Redline Stealer and cryptocurrency stealers to harvest credentials and hijack\r\ntransactions.\r\nIt spreads through USB drives, network shares, and fake shortcuts that trick users into opening it.\r\nPersistence is maintained by creating hidden file copies and modifying registry settings.\r\nThe malware monitors the clipboard and instantly replaces copied crypto wallet addresses.\r\nIts command and control panels are hosted across Latvia, the UK, and the Netherlands.\r\nThe same infrastructure also delivers DCRat payloads that provide remote access to infected systems.\r\nWith these findings in mind, the first step was to trace where the activity began, starting with the initial discovery\r\nof a suspicious IP address that triggered the investigation.\r\nInitial Discovery\r\nAfter flagging this IP address for unusual activity, we decided to dig deeper into its origins and ownership.\r\nRunning it through our threat intelligence platform revealed some interesting details about who's behind this\r\naddress.\r\nThe IP 176.46.152.47 traces back to FEMO IT SOLUTIONS LIMITED, a company based in Riga, Latvia. The\r\nlookup shows this falls under ASN214351, with the IP range 176.46.152.0/24 being allocated to this organization.\r\nThe geolocation pinpoints it to somewhere in the Baltic region, specifically Latvia, which matches the company's\r\nregistered location.\r\nWhat immediately caught our attention in the scan results was the open ports and services running on this host.\r\nThe system appears to be running HTTP services on multiple ports - standard port 80, but also on non-standard\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 1 of 14\n\nports 1911 and 1912, plus TLS on port 3389. The timeline shows these services have been active for quite some\r\ntime, with some dating back to 2023.\r\nFigure 1: Hunt.io scan results for suspicious IP address 176.46.152.47\r\nHowever, one particular entry stood out like a red flag - port 1911 showing \"Redline Stealer\" in the Extra Info\r\ncolumn. This is where things get concerning. Redline Stealer is a well-known information-stealing malware\r\nfamily, and seeing it explicitly identified in our scan results suggests this IP might be hosting malicious\r\ninfrastructure.\r\nWeb Content Analysis and Panel Discovery\r\nTo get a clearer picture of what this suspicious IP was actually hosting, we decided to run it through URLscan.io\r\nto see what kind of web content was being served. The results confirmed our worst suspicions.\r\nThe scan revealed that 176.46.152.47 was hosting a login panel at the path /zyxic/login.php . The server details\r\nshow it's running Apache/2.4.58 on Windows 64-bit with OpenSSL/3.1.3 - a fairly standard web server setup, but\r\nbeing used for malicious purposes.\r\nNavigating directly to the suspicious URL, we were looking at an active TinyLoader malware panel. The simple\r\nlogin interface at 176.46.152.47/zyxic/login.php serves as the command and control gateway for\r\ncybercriminals managing their TinyLoader operations.\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 2 of 14\n\nTinyLoader is a notorious malware loader that's commonly used to deploy secondary payloads like Redline\r\nStealer, which explains the connection we discovered in our initial port scan. This clean, functional panel design is\r\ntypical of modern malware-as-a-service operations, where threat actors prioritize usability to efficiently manage\r\ntheir stolen data and coordinate botnet activities\r\nFigure 2: TinyLoader command-and-control login panel\r\nThreat Hunting and Infrastructure Expansion\r\nExamining the page source revealed a crucial piece of intelligence for expanding our threat hunting efforts. The\r\nHTML title tag clearly shows \u003ctitle\u003eLogin - TinyLoader\u003c/title\u003e , which serves as a perfect signature for\r\nidentifying other instances of this malware family's infrastructure\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 3 of 14\n\nFigure 3: Source code showing \"Login - TinyLoader\" panel title\r\nCommand and Control Infrastructure Mapping\r\nTo systematically hunt for additional TinyLoader infrastructure, a targeted SQL query was crafted to search\r\nthrough the web crawler database.\r\nSELECT\r\n *\r\nFROM\r\n crawler\r\nWHERE\r\n body LIKE '%Login - TinyLoader%'\r\n AND timestamp \u003e NOW - 40 DAY\r\n \r\nCopy\r\nThe query is designed to find any web pages that contain the specific \"Login - TinyLoader\" string anywhere in\r\ntheir HTML body content within the last 40 days.\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 4 of 14\n\nFigure 4: SQL query for identifying TinyLoader panels in crawler data\r\nThis approach leverages the distinctive title discovered in the source code analysis as the hunting signature. We\r\nfound a TinyLoader panel at IP address 176.46.152.46 that was captured just two days prior.\r\nAfter mapping the panels, the next step was to examine related payloads tied to the infrastructure.\r\nPayloads Linked to TinyLoader Infrastructure\r\nAfter analyzing the communicating files associated with the suspicious IP addresses, the next logical step was to\r\nexamine the \"Files Referring\" section in VirusTotal. This feature reveals files that reference or contain mentions of\r\nour target IPs, often uncovering additional payloads and related malware samples that might not have directly\r\ncommunicated with the servers but are part of the same campaign.\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 5 of 14\n\nFigure 5: VirusTotal relations revealing files linked to TinyLoader panel\r\nBy linking payloads back to the infrastructure, we were able to map not only the servers but also the malware’s\r\nbehavior. The next step was a detailed analysis of TinyLoader’s functionality and tactics.\r\nFunctional Analysis of TinyLoader\r\nSecondary Payload Delivery\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 6 of 14\n\nUpon execution, TinyLoader reaches out to six predefined attacker-controlled URLs to download additional\r\npayloads. These payloads include files such as bot.exe and zx.exe , which are saved to the system's temporary\r\ndirectory. Each file is executed instantly after being downloaded, effectively transforming the infected system into\r\na multi-purpose attack platform capable of running several malicious tools in parallel.\r\nFigure 6: Malware function downloading secondary payloads\r\nAfter connecting to one of the command and control servers, we discovered how the criminal infrastructure is\r\norganized. The malware contacts four servers, and among the payloads retrieved, DCRat stood out as a major\r\ncomponent of this operation.\r\nDCRat Open Directory Analysis\r\nTwo of the IP addresses function as admin panels where the attackers manage their criminal operation. These\r\nservers host web interfaces that let the criminals monitor infected computers, track stolen cryptocurrency, and\r\ncontrol their malware distribution.\r\nOne server is dedicated to downloading RedLine Stealer malware. This means victims don't just get the\r\ncryptocurrency clipper, they also get infected with additional malware that steals passwords, wallet files, and\r\npersonal information from their computers.\r\nAfter extracting IP addresses from loader and running them through our threat intelligence platform, we\r\ndiscovered several red flags. The scan revealed open directories and active C2 communication histories, showing\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 7 of 14\n\nthese IPs are definitely being used for malicious purposes.\r\nThe malware operators are running a distributed network across multiple countries. We found two IPs in Riga,\r\nLatvia, one in London, UK, and another in Kerkrade, Netherlands. What's interesting is that all four addresses are\r\nhosted by the same provider: Virtualine Technologies. This suggests the attackers are keeping things simple by\r\nusing one hosting company, though it also makes their infrastructure more vulnerable to takedowns.\r\nThe two Riga IPs are consecutive numbers, which means they're probably from the same server block. Combined\r\nwith the C2 traffic we detected and the open directories we found, it's clear this is a well-organized operation. The\r\ncriminals are smart enough to spread their infrastructure across different countries, making it harder for law\r\nenforcement to shut them down quickly.\r\nFigure 7: Hunt.io scan results of additional TinyLoader infrastructure\r\nBased on this Attack Capture File Manager data, here's what we can add to our analysis:\r\nOur AttackCapture™ tool captured active malware samples from one of the identified IPs (107.150.0.155) hosted\r\nby Railnet LLC in Great Britain. The capture occurred on August 8th, 2025, revealing four malicious files totaling\r\n211 KB. All captured files are tagged as DCRat malware, confirming this infrastructure is actively distributing\r\nremote access trojans.\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 8 of 14\n\nFigure 8: DCRat malware samples captured via Hunt.io AttackCapture™\r\nThe captured samples include:\r\ninjector.exe.DcRat (98 KB) - likely the main payload injector\r\nc.exe.DcRat (49 KB) - possibly a configuration or communication module\r\nindex.php.DcRat (16 B) - a small PHP script, probably for web-based C2 communication\r\nsvchost.exe.DcRat (65 KB) - masquerading as a legitimate Windows service\r\nThis file capture proves the infrastructure isn't just hosting C2 servers, but actively serving malware payloads to\r\nvictims. The DCRat family is known for providing full remote control capabilities, including keylogging, screen\r\ncapture, and file theft.\r\nThe malware copies itself across multiple directories to maintain persistence. It drops copies named \"Update.exe\"\r\nin your Desktop and Documents folders, then searches through every directory it can access to plant more copies.\r\nEach copy gets marked as hidden, so you won't see them during normal browsing. This creates multiple backup\r\nversions in case one gets deleted.\r\nUSB and Removable Media Infection\r\nEvery time you plug in a USB drive, the malware copies itself onto that device multiple times with tempting\r\nnames like \"Photo.jpg.exe\" and \"Document.pdf.exe\". It also creates an autorun file that causes the malware to\r\nlaunch automatically when someone plugs the infected USB drive into another computer. Your innocent flash\r\ndrive becomes a weapon that infects other systems.\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 9 of 14\n\nFigure 9: USB propagation and removable media infection behavior\r\nIt scans the local network for shared folders and drives it can access. Using your computer's existing permissions,\r\nit copies itself to network shares as \"Update.exe\". This means if you're on a company network, the infection can\r\nspread to servers and other computers throughout the organization.\r\nHow TinyLoader Maintains Persistence\r\nWhen the malware has administrator rights, it does something particularly sneaky - it hijacks how Windows\r\nhandles text files. It modifies the registry so that every time you or anyone else opens a .txt file, the malware runs\r\nfirst before the file opens normally. By hijacking text file associations, the malware blends persistence into one of\r\nthe most routine user actions.\r\nFigure 10: Registry modification enabling persistence on Windows\r\nShortcut Tricks Used for Social Engineering\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 10 of 14\n\nThe malware creates a convincing shortcut on your desktop called \"Documents Backup.lnk\" with an official\r\nWindows icon. The description says \"Double-click to view contents\" to trick you into thinking it's a helpful\r\nbackup tool. When you click it, you're running the malware, while it might show you something that looks\r\nlegitimate.\r\nFigure 11: Fake desktop shortcut used for social engineering\r\nClipboard Monitoring and Crypto Address Hijacking\r\nA hidden background process monitors the clipboard continuously, checking four times per second for any\r\nchanges while using minimal resources to avoid detection.\r\nFigure 12: Clipboard monitoring process for cryptocurrency address theft\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 11 of 14\n\nWhenever new text is copied, the malware analyzes it to identify cryptocurrency addresses for Bitcoin, Ethereum,\r\nLitecoin, and TRON, validating the complete format to ensure it targets only genuine addresses. If a match is\r\nfound, it instantly replaces the address with the attacker's own, doing so faster than the user can notice and making\r\nit appear identical to a legitimate address.\r\nTo achieve this, the malware uses Windows APIs to safely extract clipboard content, with built-in safeguards to\r\nprevent crashes or conflicts with other applications, ensuring the process remains invisible and error-free.\r\nFigure 13: Targeted cryptocurrency addresses monitored by TinyLoader\r\nTaken together, these capabilities show how TinyLoader is more than a simple loader, acting instead as a persistent\r\nand multi-layered threat.\r\nConclusion\r\nThis investigation uncovered an active TinyLoader malware operation that combines multiple attack methods to\r\nsteal cryptocurrency and personal information. The operation runs from servers in Latvia and uses a well-organized infrastructure with specific roles for each server.\r\nThe malware is designed to be persistent and hard to remove. It creates multiple copies of itself, spreads through\r\nUSB drives and networks, and uses fake shortcuts to trick users. Most concerning is its ability to steal\r\ncryptocurrency by watching what users copy and instantly replacing wallet addresses with the attacker's addresses.\r\nOur analysis shows this is a coordinated operation. The attackers combine persistence, lateral movement, and\r\ncrypto theft into a system designed to run silently and stay undetected.\r\nMitigation Strategies\r\nOrganizations should monitor network traffic for the HTML signature \"Login - TinyLoader\" to identify\r\nrelated infrastructure and block known malicious IP addresses including 176.46.152.47, 176.46.152.46, and\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 12 of 14\n\n107.150.0.155.\r\nImplementing USB device restrictions, scanning policies, and monitoring for suspicious files like\r\n\"Update.exe\" on network shares can prevent lateral movement. Security teams should watch for registry\r\nchanges affecting file associations and set up alerts for multiple executables being created in user\r\ndirectories.\r\nIndividual users must verify cryptocurrency wallet addresses before sending transactions and remain\r\nsuspicious of desktop shortcuts claiming to be backup tools.\r\nScanning USB drives before opening files, especially executables disguised as documents with double\r\nextensions like \"Photo.jpg.exe\", helps prevent infection.\r\nUsing antivirus software that monitors clipboard activity and regularly checking for hidden files in Desktop\r\nand Documents folders provides additional protection.\r\nSecurity teams can leverage this intelligence by searching web crawler databases for \"Login - TinyLoader\"\r\nsignatures to find additional infrastructure.\r\nImplementing detection rules for high-frequency clipboard monitoring processes and monitoring Apache\r\nservers with open directories containing malware components strengthens defensive capabilities. The\r\ndiscovery of this infrastructure provides valuable intelligence for blocking similar operations and\r\nprotecting against cryptocurrency theft attacks.\r\nTinyLoader IOCs\r\nThe following indicators of compromise (IOCs) were extracted during this investigation and can support detection\r\nand blocking efforts.\r\nIP Address City Country ASN\r\n107.150.0.155 London GB AS214943\r\n176.46.152.47 Riga LV AS214351\r\n77.90.153.62 Kerkrade NL AS214943\r\n176.46.152.46 Riga LV AS214351\r\nFile Name File Size Malware Family Description\r\ninjector.exe.DcRat 98 KB DCRat Main payload injector component\r\nc.exe.DcRat 49 KB DCRat Configuration or communication module\r\nindex.php.DcRat 16 B DCRat Web-based C2 communication script\r\nsvchost.exe.DcRat 65 KB DCRat Masquerades as legitimate Windows service\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 13 of 14\n\nSource: https://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nhttps://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/tinyloader-malware-cryptocurrency-theft-infrastructure"
	],
	"report_names": [
		"tinyloader-malware-cryptocurrency-theft-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2cac938e942dcb86b183c337b9633af65e7154eb.pdf",
		"text": "https://archive.orkl.eu/2cac938e942dcb86b183c337b9633af65e7154eb.txt",
		"img": "https://archive.orkl.eu/2cac938e942dcb86b183c337b9633af65e7154eb.jpg"
	}
}