{
	"id": "ab779cc8-12e9-4dc5-8db5-0d002e0e00f5",
	"created_at": "2026-04-06T00:16:18.438629Z",
	"updated_at": "2026-04-10T03:21:49.103153Z",
	"deleted_at": null,
	"sha1_hash": "45c5e99659b869bef7b07a9667db29233b29e5a0",
	"title": "CustomerLoader: a new malware distributing a wide variety of payloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1475645,
	"plain_text": "CustomerLoader: a new malware distributing a wide variety of\r\npayloads\r\nBy Quentin Bourgue,\u0026nbsp;Pierre Le Bourhis\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-07-12 · Archived: 2026-04-05 14:55:13 UTC\r\nThis blog post was originally sent to our clients on 19 June, 2023. Since the threat is still very active in July 2023\r\nand continues to distribute a variety of malware families, Sekoia.io TDR analysts decided to publish a blog post.\r\nTable of contents\r\nIntroduction\r\nTechnical analysis\r\nLoader capabilities\r\nData encryption\r\nImpair Defenses\r\nNext-stage execution\r\nC2 infrastructure\r\nRounds\r\nChange of C2\r\nLoader update\r\nMalware families distribution\r\nInfection chains\r\nPhishing emails (customer 735)\r\nYouTube compromised channels (customer 770)\r\nPage impersonating Slack website (customer 798)\r\nCustomerLoader’s infection chain\r\nUnveiling the infrastructure associated with “customer 798”\r\nConclusion\r\nIoCs \u0026 Technical Details\r\nIoCs\r\nC2 servers\r\nInfection chain 1\r\nInfection chain 2\r\nInfection chain 3\r\nMITRE ATT\u0026CK TTPs\r\nIntroduction\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 1 of 20\n\nDuring our daily threat hunting routine, we identified an undocumented .NET loader aimed at downloading,\r\ndecrypting and executing next-stage payloads. In early June 2023, this new loader was actively distributed by\r\nmultiple threat actors using malicious phishing emails, YouTube videos, and web pages impersonating\r\nlegitimate websites. \r\nWe named this new malware “CustomerLoader” because of the presence of the string “customer” in its Command\r\nand Control (C2) communications and loading capabilities.\r\nThe malwrhunterteam and g0njxa researchers also observed campaigns distributing CustomerLoader in early June\r\n2023.\r\nSekoia.io analysts’ investigation led us to discover that all payloads downloaded by CustomerLoader are\r\ndotRunpeX samples that deliver a variety of malware families, including infostealers, Remote Access Trojans\r\n(RAT) and commodity ransomware. dotRunpeX is an .NET injector implementing several anti-analysis\r\ntechniques, first publicly documented by Checkpoint in March 2023.\r\nWe assess that CustomerLoader is almost certainly associated with a Loader-as-a-Service, which remains\r\nunknown at the time of writing. It is possible that CustomerLoader is a new stage added before the execution of\r\nthe dotRunpeX injector by its developer.\r\nThis blog post aims at presenting a technical analysis of CustomerLoader focusing on the decryption of the\r\nnext-stage payloads, an overview of more than 30 known and distributed malware families, and details on three\r\ninfection chains observed distributing the loader.\r\nTechnical analysis\r\nHere is an overview of the infection chains’ stages observed distributing multiple commodity malware via\r\nCustomerLoader:\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 2 of 20\n\nFigure 1. Overview of the stages in the CustomerLoader infection chains\r\nLoader capabilities\r\nSamples of CustomerLoader used several techniques to obfuscate their code or to hide their execution by\r\nmasquerading as a legitimate application. This usage makes the analysis of CustomerLoader slower and longer,\r\nthis is likely a result of the democratisation of tools to obfuscate .NET code. As indicated in the list hosted on\r\nNotPrab/.NET-Obfuscator GitHub repository, many tools are available without requiring an advanced knowledge\r\non code obfuscation to use them. \r\nData encryption\r\nCustomerLoader obfuscates its strings using AES in Electronic CodeBook (ECB) mode, the decryption key is\r\nstored in cleartext in the PE. The obfuscated strings are:\r\n1. The command and control (C2) URL to fetch the next-stage payload;\r\n2. Strings used for the Microsoft’s Antimalware Scan Interface (AMSI) patch; \r\n3. Strings used for the next-stage execution in memory. \r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 3 of 20\n\nFigure 2. CustomerLoader’s function used for the AES decryption\r\nFigure 3. Example of CustomerLoader’s decryption of strings “amsi.dll” and “AmsiScanBuffer”\r\nAs shown in Figure 3, the loader decodes base64-encoded strings and calls the AES decryption function. Here is a\r\nstraightforward cyberchef recipe to decrypt strings for\r\nd40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9 sample. The same recipe can be used\r\nto decrypt the downloaded next-stage payload.\r\nImpair Defenses\r\nTo avoid possible detection of the malware, CustomerLoader patches the AmsiScanBuffer function from amsi.dll.\r\nThis method aims at scanning buffer content for potential malware. The patch returns the AMSI_RESULT_CLEAN\r\nconstant for the AmsiScanBuffer method when a malicious payload is written in memory to mark the buffer as\r\nclean and bypass the antivirus. When the patch is successfully applied, this value indicates to the caller that the\r\nbuffer is clean and can be safely executed.\r\nFigure 4. Function that patches AmsiScanBuffer to bypass antivirus solutions\r\nThe article Memory Patching AMSI Bypass of RastaMouse details how this patch work to execute malicious\r\npayload in memory.\r\nNext-stage execution\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 4 of 20\n\nThe loader is in charge of executing its customer payload, here is its process:\r\n1. CustomerLoader downloads an HTML page from an embedded URL;\r\n2. It extracts an encoded base64 string from the download page with the regular expression:\r\n/!!!(.*?)!!!/\r\n3. It decodes the base64 string and decrypts it;\r\n4. It uses reflective code technique to execute the payload in memory.\r\nN.B.: The extracted data and the obfuscated strings in the PE are encrypted with the same routine (base64, AES\r\nencryption).\r\nFigure 5. Extract of the function used to download the next-stage payload\r\nTo execute the next-stage in memory, CustomerLoader uses reflecting code loading; this technique consists of\r\ninjecting then executing the downloaded payload in the same process. Here, the method of reflecting code is\r\nshuffled to load the .NET function from their string value using the NewLateBinding.LateGet function.\r\nFigure 6. CustomerLoader’s reflective code loading to execute the next-stage payload\r\nC2 infrastructure\r\nCustomerLoader samples download their next-stage encrypted payload from their C2 server. Each payload is\r\nassociated with a customer identifier and is hosted at hxxp://$C2/customer/$ID.\r\nRounds\r\nWe observed that the CustomerLoader’s operator re-indexed the payload identifiers twice, on 19 June 2023, and\r\non 25 June 2023. This means that each time, all encrypted payloads were removed from the C2 server, and the\r\nidentifiers were reassigned from 0.\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 5 of 20\n\nAt the time of updating this report, we identified three rounds:\r\nRound 1: between 31 May and 18 June 2023;\r\nRound 2: between 19 June and 25 June 2023;\r\nRound 3: between 26 June and 6 July 2023.\r\nWe are unable to explain why the CustomerLoader’s operator has twice reset the paylaods and the associated\r\ncustomer id. This may be related to a technical operation, such as a server’s reboot or a C2 update, or it may be an\r\naction to remove all encrypted payloads to prevent potential analysis.\r\nChange of C2\r\nBetween 31 May and 20 June 2023, CustomerLoader samples communicated directly with the IP address with the\r\nC2 server 5.42.94[.]169 in HTTP.\r\nOn 20 June 2023, CustomerLoader switched its C2 server and communications to the domain name\r\nkyliansuperm92139124[.]sbs and HTTPS. The domain kyliansuperm92139124[.]sbs is protected by Cloudflare,\r\nwhich prevents payloads from being scanned and collected by security researchers.\r\nHowever, this domain is a proxy for C2 communications and the backend server is always 5.42.94[.]169.\r\nSekoia.io analysts assess that this change of C2 server is likely intended to avoid network detections, and possibly\r\nto avoid security researchers’ analysis.\r\nLoader update\r\nThe code was updated at round 3, the developer added some obfuscation to hide the strings such as C2 URL and\r\nAMSI constants. Furthermore it attempted to hide code execution using IL (Intermediate Language) code in\r\nasynchronous tasks definition.\r\nFigure 7. Code of Task initialization and execution disassembled in C#\r\nThe malware implements a method that inherits the method MoveNext from IAsyncStateMachine, which executes\r\nCustomerLoader malicious code. The loader calls these asynchronous methods by awaiting tasks created for this\r\npurpose.\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 6 of 20\n\nFigure 8. IL code of the asynchronous task responsible of the strings decryption\r\nMalware families distribution\r\nOnce the CustomerLoader’s decryption method of the next-stage payload is achieved, we collected all the\r\npayloads distributed by the malware from the C2 server.\r\nBy extracting the first bytes of the collected files, we identified clusters of payloads encrypted with the same AES\r\nkey. Pivoting on CustomerLoader samples and downloading the encrypted payloads, we were able to retrieve the\r\nAES key for each cluster, allowing us to decrypt almost every next-stage payload. Here is a table listing the\r\nclusters of payloads and associated AES keys.\r\nAs a reminder, the download URL for the CustomerLoader next-stage payload is:\r\nhxxp://5.42.94[.]169/customer/$ID.\r\nRound 1\r\nID range for a cluster AES key\r\n3 – 78 JPl747ZqJEbZNCnjDreyHfIremBtsIURakxmH5HsJGQ=\r\n79 – 156 mbCxKKqIh9hZQ9ffL0Z+REAHVbwUnWtbM3h/lnceD0g=\r\n157 – 208 e1tCejIAy65Ft38G6zZSQPJuUyqy4DBEtWRAmHjgcHk=\r\n209 – 250 tzaq2IvRQYmiCRnXS4ui11QSSjk0HKK50PSaLEBmeeY=\r\n253 – 318 gMqeWOPLGVb37y00zMrL4/VVFHyxBgam/Ukb7bCU3Q8=\r\n319 – 382 PWmn58KBcnHI6OBMKNafzCEiShSyIzUTzvsULe3sDOc=\r\n383 – 600 lUq9SRfYH8KkEzNKFzQp9saTIKdX0DmnRh3LO3KaRMI=\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 7 of 20\n\n601 – 669 gbVEloX3kL40gsn1iJ2dHK8rG8SGkjQmlZzuoYVLLlY=\r\n670 – 838 1NZ9gosU7AyEoX7eYIpFOy6VtAxce3NrSP0y5ixwF44=\r\n839 – 941 tUknSLjnu/IQ+oF8t64y56e8dqiN+nvvbwVElbLZh6o=\r\n962 – 1118 wGFMN18TSbeENvcG7ovTc9g7y14Or0CPD9Oph6uL7qI=\r\n1119 – 1144 tdfHwCY/b8lglvq1EckDOtSS+Ok9mbe0PHgqaBH3JF4=\r\n1148 – 1212 rHVfLVpmqrMDsRQa7sFPKn9MHzPytC8tTU9+s4QDKyA=\r\n1213 – 1215 0Jb6YNUeIqlzl6ZhuTEySwA7v4UxD7v6qtoCijTPCSY=\r\nRound 2\r\nID range for a cluster AES key\r\n0 – 58 xnmBUs01y021keOdlbpYpgzEqOlvBvgXX8bHbTIcAU4=\r\n59 – 163 EBBTiuviUgaUKVL+FvE2plIJhyZW6o7f9Siw9J36PfM=\r\n165 – 246 g0Ja7l6LQZy+iEQKdGMuvWTvymZTPUuxko+Su1//kOc=\r\nRound 3\r\nID range for a cluster AES key\r\n0 – 37 /6xTrJ5wusITyu1Aj0dx7FCdXZASmLZVhm2ZAII8rs4=\r\n41 – 99 yaDD0flqYFpBmlMjzKgB+DELfVx0eTSzvRiHTZY0VKI=\r\n103 – 184 CYtzHLkrHAkRalizuL9TqbViN2pf3gZuqjcSFSH8/0w=\r\n187 – 282 957VPRW5FZraJ9pNcJXT9I6hMa1IxnB7P+xWnA2gFR8=\r\n283 – 320 RHw2BlqKxjyybILVYKmtlyaYV+XMyCXynqmgYDUcoME=\r\n321 – 391 K5F9o5+9+h+T4yqfs4iXCOYHxXcsp45IEjHl4I0s0VU=\r\n395 – 498 y0KGEtavg4++y4fZjSC/SHzk9K2h/uMng7kSNldnJQ8=\r\n499 – 616 CFdxtfeM8Tm7AGH46xHb+3IjxJvfAKGafg/PnCSjA+4=\r\n617 – 685 0IZPxBzPYp9qmq+xd6CAnI4yiLjAYPbzQNylzRNx+Ok=\r\n686 – 713 LApSwUiqLqnOVRi1FJW0iSbQYndjAewCq4bGKv4COY8=\r\n714 – 800\r\nTable 1. List of clusters of CustomerLoader next-stage payloads and associated AES keys, as of 6\r\nJuly 2023\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 8 of 20\n\nBased on static malware detection, Sekoia.io analysts noticed that every decrypted next-stage payload matches our\r\ninternal YARA rule for the dotRunpeX injector.\r\nTo classify the distributed payload by CustomerLoader and injected by dotRunpeX, we executed them in a\r\nsandbox environment. We identified more than 40 known malware families, as shown in the following figure.\r\nFigure 9. Known malware families distributed by CustomerLoader, between 31 May 2023 and 6\r\nJuly 2023\r\nMalware families include:\r\nInfostealers sold as a Malware-as-a-Service (Redline, Formbook, Vidar, Stealc, Raccoon stealer and\r\nLumma), available on GitHub (StormKitty) and others (AgentTesla, DarkCloud, Kraken Keylogger, etc.);\r\nRATs available on GitHub or cybercrime forums (AsyncRAT, Quasar, Remcos, XWorm and njRAT),\r\ninitially sold as a Malware-as-a-Service (WarzoneRAT, BitRAT, NanoCore) and others (SectopRAT);\r\nLoaders (LgoogLoader, Amadey);\r\nCommodity ransomware (Variant of WannaCry and TZW ransomware).\r\nWe also identified botnets associated with some malware families. Here are the number of unique botnets for the\r\nfollowing malware families distributed by CustomerLoader:\r\nRedline: over 80 botnets;\r\nQuasar: 45 botnets;\r\nVidar: 9 botnets;\r\nRemcos: 6 botnets;\r\nStealc: 4 botnets;\r\nFormbook: 4 botnets.\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 9 of 20\n\nAlthough one threat actor/group can operate several botnets, malware families and use several servers, domain\r\nnames – the number of deployed malware, the extent of related infrastructure as well as the diversity of alleged\r\nobjectives lead Sekoia.io analysts to assess it is highly unlikely that all these final payloads are leveraged by a\r\nunique threat actor/group.\r\nThis in-depth investigation allows us to assess with high confidence that CustomerLoader is a new malware\r\nassociated with a Loader-as-a-Service – which are very common in the cybercrime ecosystem, to offer\r\ncybercriminals a solution to ensure that their payloads are less likely to be detected. The likely high number of\r\ncustomers for this service is probably due to its stealthy code. \r\nInfection chains\r\nSekoia.io observed three infection chains delivering CustomerLoader in the wild, which we briefly detail in the\r\nfollowing sections. These attackers leveraged CustomerLoader for their distribution campaign and are almost\r\ncertainly customers of the Loader-as-a-Service.\r\nPhishing emails (customer 735)\r\nEarly June 2023, we observed a phishing campaign delivering CustomerLoader. The email content purports to be\r\na follow-up email to trick victims into thinking they had a previous exchange with the sender. The body of the\r\nmail contains an image mimicking a PDF file, which, in fact, is a hyperlink\r\nto hxxp://smartmaster.com[.]my/48E003A01/48E003A01.7z. This link redirects to a compromised website hosting\r\na ZIP file. The archive contains an executable which is the loader.\r\nFigure 10. Phishing email content with the fake image containing a hyperlink to the loader\r\nexecutable\r\nYouTube compromised channels (customer 770)\r\nKnown on the Russian-speaking cybercrime forums as “911”, this infection chain that consists in delivering\r\nmalware using stolen YouTube accounts to distribute a download link was leveraged to deliver CustomerLoader.\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 10 of 20\n\nMain steps of this infection chain are:\r\n1. Hundreds of YouTube videos from compromised accounts use the lure of cracked software to redirect users\r\nto the Telegra[.]ph webpage (hxxps://telegra[.]ph/Full-Version-06-03-2);\r\n2. The Telegra[.]ph web page aims at sharing instructions to disable Windows Defender protection and\r\nredirecting them to the download of a password-protected archive on MediaFire\r\n(hxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file and later\r\nhxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file);\r\n3. Once the archive is downloaded and decompressed, the user executes the file “Setup.exe”, which turns out\r\nto be a CustomerLoader sample\r\n(c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6);\r\n4. It downloads the encrypted payload from its C2 server (hxxp://5.42.94[.]169/customer/770), decrypts and\r\nexecutes it.\r\n5. The final payload turns out to be a Raccoon stealer sample communicating with the C2 servers\r\n45.9.74[.]99 and 5.42.65[.]69.\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 11 of 20\n\nFigure 11. Telegrap[.]ph webpage sharing instructions to disable Windows Defender and\r\ndistributing the download link\r\nHere is an analysis from the Hatching Triage sandbox of the CustomerLoader sample for this infection chain:\r\nhttps://tria.ge/230608-y3pgnsag5s.\r\nPage impersonating Slack website (customer 798)\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 12 of 20\n\nCustomerLoader’s infection chain\r\nA webpage impersonating the website of the video conferencing software Slack distributed CustomerLoader as a\r\nfake installer. The technique used to spread this fake web site remains unknown at the time of writing, it could be\r\nSEO-poisoning, phishing emails or redirections from legitimate forums.\r\nMain steps of this infection chain are:\r\nThe user browses the webpage impersonating Slack website (hxxps://slackmessenger[.]site/) and clicks on\r\nthe download button;\r\nIt launches the archive download from another malicious domain (hxxps://slackmessenger[.]pw/slack.zip);\r\nThe ZIP file contains the executable SlackSetup.exe, which turns out to be a CustomerLoader sample\r\n(b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca);\r\nIt downloads the encrypted payload from its C2 server (hxxp://5.42.94[.]169/customer/798), decrypts and\r\nexecutes it;\r\nThe next-stage payload is a custom dropper that executes PowerShell scripts to elevate privileges,\r\ndownloads additional encrypted payloads from “crypt1[.]pw”, executes them, and instals the legitimate\r\nSlack application;\r\nThe final payloads turn out to be a Redline stealer sample communicating with missunno[.]com:80, and a\r\ncryptominer communicating with “hxxp://179.43.170[.]241/BEBRIK.php”.\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 13 of 20\n\nFigure 12. Webpage (slackmessenger[.]site) impersonating Slack website and redirecting to the\r\ndownload of CustomerLoader (hxxps://slackmessenger[.]pw/slack.zip)\r\nHere is an analysis from the Hatching Triage sandbox of the CustomerLoader sample for this infection chain:\r\nhttps://tria.ge/230611-xmzr2aad3z.\r\nUnveiling the infrastructure associated with “customer 798”\r\nIn this section, we focus on the C2 infrastructure associated with the third CustomerLoader’s infection chain\r\n(customer 798). As described above, this attacker leveraged CustomerLoader for its distribution campaign and is\r\nalmost certainly a customer of the Loader-as-a-Service.\r\nWhile we did not dig deeper into the analysis of the crypter downloaded by CustomerLoader in the above\r\ninfection chain, we observed additional requests to the following domains:\r\nget-vbs.com\r\ncmd2.pw\r\nmymine.pw\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 14 of 20\n\nvbs1.pw\r\nvbs22.pw\r\nvbs3.pw\r\nAll domains are likely to be malicious and related to an infrastructure of a single attacker. Common\r\ncharacteristics of this infrastructure are:\r\nDomains protected by Cloudflare;\r\nDomains registered with Beget LLC;\r\nUse of TLS certificates of Google Trust Services LLC and Let’s Encrypt;\r\nSimilar patterns for domains according to their use;\r\nPredominant use of .pw, .net and .com TLDs.\r\nBased on previously discussed technical artefacts, we were able to unveil an infrastructure of over 50 domains\r\nused for:\r\nHosting distribution websites using landing pages of software, VST plugins, mouse macros plugins or\r\nvideo games download websites;\r\nRedirecting to the distribution websites;\r\nHosting the malicious payloads (ZIP files containing a setup executable);\r\nRedirecting to the file hosting domains;\r\nHosting the C2 server of a cryptominer.\r\nIt results in the following list:\r\nDomain Use\r\nmacros-pro[.]net Distribution website (landing page)\r\nplugin4free[.]net Distribution website (landing page)\r\nself-games[.]com Distribution website (landing page)\r\nslackmessenger[.]site Distribution website (landing page)\r\nsoft-got[.]com Distribution website (landing page)\r\nvpnsget[.]com Distribution website (landing page)\r\nvstget[.]com Distribution website (landing page)\r\nseif-games[.]com Redirection to distribution website\r\nself-games[.]host Redirection to distribution website\r\nself-games[.]pw Redirection to distribution website\r\nself-games[.]site Redirection to distribution website\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 15 of 20\n\nself-games[.]space Redirection to distribution website\r\nsoft-got[.]co Redirection to distribution website\r\nsoft-got[.]net Redirection to distribution website\r\nsoft-got[.]pw Redirection to distribution website\r\nvst-dw[.]com Redirection to distribution website\r\nvstdw[.]com Redirection to distribution website\r\nhardcoverradio[.]com File hosting domain\r\nmacrospro[.]pw File hosting domain\r\nplugin4free[.]com File hosting domain\r\nslackmessenger[.]pw File hosting domain\r\nvpnsget[.]pw File hosting domain\r\nadanagram[.]com Redirection to file hosting domain\r\nbin-a[.]pw Redirection to file hosting domain\r\nbin-b[.]pw Redirection to file hosting domain\r\nbin-c[.]pw Redirection to file hosting domain\r\nbin-d[.]pw Redirection to file hosting domain\r\ncmd1[.]pw Redirection to file hosting domain\r\ncmd2[.]pw Redirection to file hosting domain\r\ncmd22[.]pw Redirection to file hosting domain\r\nget-a[.]pw Redirection to file hosting domain\r\nget-b[.]pw Redirection to file hosting domain\r\nget-c[.]pw Redirection to file hosting domain\r\nget-d[.]pw Redirection to file hosting domain\r\nget-i[.]pw Redirection to file hosting domain\r\nget-vbs[.]com Redirection to file hosting domain\r\nget-y[.]com Redirection to file hosting domain\r\nhautegaleria[.]com Redirection to file hosting domain\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 16 of 20\n\njacksmanual[.]com Redirection to file hosting domain\r\nseif-games[.]com Redirection to distribution website\r\nvbs1[.]pw Redirection to file hosting domain\r\nvbs2[.]pw Redirection to file hosting domain\r\nvbs22[.]pw Redirection to file hosting domain\r\nvbs3[.]pw Redirection to file hosting domain\r\nminemy[.]pw Miner’s C2 domain\r\nmymine[.]pw Miner’s C2 domain\r\ncrypt1[.]pw Encrypted file hosting domain\r\ngethere[.]pw Unknown\r\n77.91.124[.]25 Server hosting macro-pro.]net\r\n104.193.255[.]48:80 Redline C2 server\r\n179.43.170[.]241 Cryptominer C2 server\r\nTable 2. List of domains associated with the infrastructure of the CustomerLoader’s customer 798\r\nConclusion\r\nThe new malware CustomerLoader does not implement advanced techniques, but when used with the\r\ndotRunpeX injector, it reduces the detection rate of the final payload, allowing attackers to improve their\r\ncompromise rate.\r\nSekoia.io analysts’ investigation led us to discover only one CustomerLoader C2 server. However, the number\r\nand the variety of malware families loaded by CustomerLoader in the first half of June show that the threat is\r\nwidespread. By pivoting on the infrastructure of one of the attackers using CustomerLoader, we identified over\r\n50 domains used to distribute commodity malware widely. Sekoia.io analysts assess that CustomerLoader is\r\nhighly likely associated with a Loader-as-a-Service and used by multiple threat actors, including some\r\npreviously observed running long-term campaigns with large and resilient infrastructure.\r\nTo provide our customers with actionable intelligence, we will continue to monitor the evolution of\r\nCustomerLoader and proactively search for new emerging malware and adversary infrastructure.\r\nIoCs \u0026 Technical Details\r\nIoCs\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 17 of 20\n\nIndicators of Compromise shared in this report are only associated with the above described infection chains.\r\nMore CustomerLoader’s and dotRunpeX’s IoCs are available in the Sekoia.io Intelligence Center.\r\nC2 servers\r\n5.42.94[.]169\r\nkyliansuperm92139124[.]sbs\r\nInfection chain 1\r\nIoC Use\r\nhxxp://smartmaster.com[.]my/48E003A01/48E003A01.7z\r\nPayload delivery\r\nURL\r\nd40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9 Archive\r\n3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82\r\nCustomerLoader\r\npayload\r\nhxxp://5.42.94[.]169/customer/735\r\nCustomerLoader’s\r\nC2 URL\r\nInfection chain 2\r\nIoC Use\r\nhxxps://telegra[.]ph/Full-Version-06-03-2\r\nMalicious\r\nredirection\r\nwebpage\r\nhxxps://tinyurl[.]com/bdz2uchr\r\nShortened URL\r\nredirecting to the\r\npayload delivery\r\nURL\r\nhxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file\r\nhxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file\r\nPayload delivery\r\nURLs\r\n65e3b326ace2ec3121f17da6f94291fdaf13fa3900dc8d997fbbf05365dd518f\r\n7ff5a77d6f6b5f1801277d941047757fa6fec7070d7d4a8813173476e9965ffc\r\nArchive\r\nc05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6\r\nCustomerLoader\r\npayload\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 18 of 20\n\nhxxp://5.42.94[.]169/customer/770\r\nCustomerLoader’s\r\nC2 URL\r\n45.9.74[.]99\r\n5.42.65[.]69\r\nRaccoon stealer’s\r\nC2\r\nInfection chain 3\r\nIoC Use\r\nhxxps://slackmessenger[.]site/\r\nMalicious\r\nwebpage\r\nimpersonating\r\nSlack website\r\nhxxps://slackmessenger[.]pw/slack.zip Payload delivery\r\n695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6 Archive\r\nb8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca\r\nCustomerLoader\r\npayload\r\nhxxp://5.42.94[.]169/customer/798\r\nCustomerLoader’s\r\nC2 URL\r\nmissunno[.]com:80\r\nRedline stealer’s\r\nC2\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique\r\nExecution T1129 – Shared Modules\r\nDefense Evasion T1027 – Obfuscated Files or Information\r\nDefense Evasion\r\nT1027.007 – Obfuscated Files or Information: Dynamic API\r\nResolution\r\nDefense Evasion T1132.001 – Data Encoding: Standard Encoding\r\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nDefense Evasion T1562.001 – Impair Defenses: Disable or Modify Tools\r\nDefense Evasion T1620 – Reflective Code Loading\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 19 of 20\n\nCommand and\r\nControl\r\nT1001 – Data Obfuscation\r\nCommand and\r\nControl\r\nT1071.001 – Application Layer Protocol: Web Protocols\r\nCommand and\r\nControl\r\nT1105 – Ingress Tool Transfer\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io\r\nFeel free to read other TDR analysis here :\r\nCTI Cybercrime Loader Malware\r\nShare this post:\r\nSource: https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nhttps://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers"
	],
	"report_names": [
		"#h-c2-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434578,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45c5e99659b869bef7b07a9667db29233b29e5a0.pdf",
		"text": "https://archive.orkl.eu/45c5e99659b869bef7b07a9667db29233b29e5a0.txt",
		"img": "https://archive.orkl.eu/45c5e99659b869bef7b07a9667db29233b29e5a0.jpg"
	}
}