{ "id": "cb9490c6-8669-44c1-8561-045c4a5dd629", "created_at": "2026-04-06T00:06:40.845028Z", "updated_at": "2026-04-10T13:11:47.699921Z", "deleted_at": null, "sha1_hash": "4748c08a76333b79d2a3fc116435da542fad3413", "title": "Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4333865, "plain_text": "Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled\r\nBy Amanda Tanner, Anthony Galiette, Jerome Tujague\r\nPublished: 2024-03-15 · Archived: 2026-04-05 21:23:01 UTC\r\nExecutive Summary\r\nThis article will focus on the newly released BunnyLoader 3.0, as well as historically observed BunnyLoader\r\ninfrastructure and an overview of its capabilities. BunnyLoader is dynamically developing malware with the\r\ncapability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims.\r\nIn an increasingly cutthroat market, cybercriminals must regularly update and retool their malware to compete\r\nwith other cybercriminals, security tools and researchers alike. Since its initial discovery in September of 2023,\r\nBunnyLoader malware as a service (MaaS) has frequently updated its functionality to include the following:\r\nBug fixes\r\nAdditional antivirus evasion and protections\r\nMultiple data recovery functionalities for the stealer portion\r\nAdditional browser paths\r\nKeylogger functionality\r\nAdditional activity discovered in October 2023 by Unit 42 threat researchers revealed the threat actor continued to\r\nmodify and retool BunnyLoader. The threat actor frequently changed their tactics in an effort to deliver and\r\nexecute the malware in what appears to be an attempt to further obfuscate and evade detection.\r\nSamples collected during this time included packed binaries using PureCrypter, UPX and Themida during various\r\ncampaigns in November. In December, the BunnyLoader payload was delivered as a follow-up payload to a\r\nPureCrypter infection using a novel .NET injector. Threat actors changed filenames of the malware to mimic\r\nlegitimate video games and other applications.\r\nFrequent changes in tactics, techniques and procedures (TTPs) like infrastructure, packers, encryption and method\r\nof exfiltration help the attacker evade detection. It’s also meant to undermine cybersecurity researchers’ ability to\r\ndetect and analyze the threat actor’s activities.\r\nOn Feb. 11, 2024, the threat actor behind BunnyLoader announced the release of BunnyLoader 3.0, boasting the\r\nmalware has been “completely redesigned and enhanced by 90%.”\r\nThe threat actor claims enhancements to BunnyLoader payloads include:\r\nPayloads/modules “completely rewritten for improved performance”\r\nReduced payload size\r\nAdvanced keylogging capabilities\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 1 of 26\n\nBy revealing the threat actor’s continued development of the malware and its evolving TTPs, we aim to empower\r\nreaders to detect and hopefully prevent this threat.\r\nPalo Alto Networks customers are better protected from BunnyLoader through Cortex XDR and XSIAM, as well\r\nas through Prisma Cloud. Customers are also better protected through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire, DNS Security, and Advanced URL Filtering.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nRelated Unit 42 Topics MaaS\r\nBehind the Ears of BunnyLoader\r\nBunnyLoader has had a rapid development cycle. Version 1.0 was first seen at the beginning of September 2023,\r\nadvertised on the dark web as a MaaS botnet and loader malware written in C/C++. It had a variety of capabilities\r\nsuch as the following:\r\nFileless loading\r\nCredential theft\r\nCryptocurrency theft\r\nClipboard theft\r\nThe threat actor behind this malware is known as “Player” or “Player_Bunny.” The buyer determines what\r\nmalware BunnyLoader delivers. The author of this malware prohibits its use against Russian systems.\r\nMalware authors residing in or around Russian territory commonly prohibit the use of their malware against\r\nRussian targets. Threat actors likely use this restriction as a way to stay off of Russian law enforcement’s radar.\r\nAs early as Sept. 4, 2023, the threat actor “Player” initially offered BunnyLoader version 1.0 on various forums at\r\n$250 for lifetime access. An example of this advertisement is shown below in Figure 1.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 2 of 26\n\nFigure 1. Dark web post advertising BunnyLoader 1.0. Source: @DailyDarkWeb on X (Twitter).\r\nBy the end of September 2023, BunnyLoader underwent a rapid retooling. According to the BunnyLoader\r\nadvertisement, new features include the following:\r\nCommand-and-control (C2) panel bug fixes\r\nAntivirus evasion\r\nMultiple data recovery methods used for information theft\r\nAdded browser paths\r\nKeylogger functionality\r\nAnti-analysis protections\r\nThe malware loader ecosystem is normally in a state of flux. During the previous month, August 2023, there was\r\nsignificant impact to the prolific malware family Qakbot with the joint law enforcement takedown operation.\r\nThis event likely signaled an opportunity for other MaaS loader operators to gain a market foothold. As such, the\r\naggressive retooling and updating by the BunnyLoader author might have been to attract market interest and\r\nincrease its adoption. By the end of September, the author had released BunnyLoader 2.0 and it was seen in the\r\nwild.\r\nIn October, the author offered a “private” version of the malware for $350. Unlike the original version, the author\r\nobfuscated this private version, and they made regular updates to evade antivirus protections. Threat actors were\r\nlikely motivated to make these updates because security researchers discovered the malware in late September.\r\nThe threat actor advertised their most recent version, BunnyLoader 3.0, on their Telegram channel on Feb. 11,\r\n2024.\r\nObserved Infrastructure: From Burrows to Bytes\r\nWhen security researchers initially discovered BunnyLoader 1.0 in September, it used 37.139.129[.]145 for its C2\r\nserver, as noted in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 3 of 26\n\nFigure 2. X (formerly known as Twitter) post by security researcher 0xperator. Source: @0xperator\r\non X (Twitter).\r\nIn the earliest known samples of BunnyLoader, the client communicated with C2 servers using a standardized\r\ndirectory structure of http://[url]/Bunny/[PHP endpoint], as shown below in Figure 3. This pattern remains\r\nconsistent throughout all samples leading up to the release of BunnyLoader 3.0.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 4 of 26\n\nFigure 3. URLs we have observed reflecting the directory structure on the C2 server at\r\n37.139.129[.]145.\r\nBunnyLoader 2.0 uses URLs ending with\r\nAdd.php\r\nto initially register the BunnyLoader client with the C2 server. Prior to registration, the malware enumerates the\r\ndevice and uses the collected information as a fingerprint to identify distinct targets.\r\nOnce BunnyLoader establishes communication with the C2, it repeatedly sends requests using URLs ending with\r\nTaskHandler.php. Responses from these requests initialized further malicious tasks performed by BunnyLoader.\r\nThreat authors coded these tasks into separate functions, which included the following:\r\nKeylogging\r\nClipboard theft\r\nDownloading additional malware\r\nRemote command execution\r\nCrypto wallet theft\r\nApplication credential theft\r\nDuring October, we observed new C2 infrastructure hosted at 185.241.208[.]83. That month, we also found\r\nBunnyLoader samples delivered via a conspicuous ZIP archive named Shovel Knight.zip. Further analysis\r\nrevealed the contents of Shovel Knight.zip include a Windows executable, which is the stager for BunnyLoader\r\n2.0.\r\nShovel Knight is a well-known video game for which development was crowdfunded. It was then released by\r\nmajor video game platforms. The threat actors’ use of the names of legitimate software is undoubtedly an effort to\r\ntrick users into opening and executing the malicious files.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 5 of 26\n\nDuring November, we identified subsequent campaigns using C2 servers hosted at:\r\n195.10.205[.]23\r\n172.105.124[.]34\r\nSamples we collected in November 2023 used Themida to pack Windows executable files for BunnyLoader. In\r\naddition to Themida, we observed a cluster of PureCrypter samples in November 2023 designed to deliver\r\nBunnyLoader. These techniques indicate the operators of BunnyLoader started taking additional measures to\r\nprotect their malware.\r\nDuring December, we observed new C2 servers at:\r\n134.122.197[.]80\r\n91.92.254[.]31\r\nThat month’s infection chain was far more complex than seen in previous months. We observed additional\r\nchanges in TTPs, where the infection chain started with a previously unseen dropper leading to PureCrypter and\r\nforking into two branches as shown in Figure 4.\r\nFigure 4. Overview of December infection chain.\r\nOne branch from the PureCrypter infection continues to deploy additional Pure malware by dropping the\r\nPureLogs loader and then delivering the PureLogs stealer. The second branch results in PureCrypter leveraging a\r\n.NET injector to deliver BunnyLoader, which masquerades as the file notepet.exe. Notepet is a pet health tracker\r\napplication for pet owners.\r\nWe also observed BunnyLoader using a misspelling of the app for the filename notep.exe. Threat actors used this\r\nfile to deliver the Meduza stealer malware.\r\nFollowing the December activity, the threat author advertised another massive retooling with the release of\r\nBunnyLoader 3.0 on Feb. 11, 2024, as shown in Figure 5. Senior threat intelligence researcher\r\n@RussianPanda9xx first publicly shared this announcement on X (Twitter) as shown below in Figure 6.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 6 of 26\n\nFigure 5. Advertisement for BunnyLoader 3.0 on Telegram.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 7 of 26\n\nFigure 6. X (formerly known as Twitter) post by threat intelligence researcher @RussianPanda.\r\nThe latest version of BunnyLoader, version 3.0, uses a different directory structure on its C2 servers than we saw\r\nin version 2.0. This directory structure is formatted as http://[C2]/[path]/[PHP API]. We discuss this information in\r\nmore detail in the section Hopping Through the Bytes.\r\nIn BunnyLoader 3.0, the threat actor uses a dropper delivered via a CMD file with the BunnyLoader malware\r\nembedded in the dropper to deliver the actual malicious payload. Once attackers deliver BunnyLoader to the target\r\nmachine, the malware reaches out to a C2 server at 91.92.247[.]212, which then responds and waits for further\r\ninstruction from the threat actor.\r\nSample Analysis: Hopping Through the Bytes of BunnyLoader 3.0\r\nOn Feb. 14, 2024, security researcher Germán Fernández identified the first known sample of BunnyLoader 3.0\r\ncontained in a malicious .cmd script discovered by @ViriBack.\r\nUnit 42 researchers tracking this threat analyzed the updated BunnyLoader file extracted from the .cmd script. We\r\nidentified several major changes from prior versions, including updates to the C2 communication protocol and\r\nmodularization of the binary.\r\nAs many aspects of BunnyLoader have not changed and are well documented in other write-ups, we focused our\r\nanalysis in this article on new features. The following sections are not a comprehensive analysis but rather\r\nhighlight key features found in the new version.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 8 of 26\n\nCommand and Control Update\r\nThe base URI structure of the C2 communication remains unchanged from prior versions, using the format\r\nhttp://[C2]/[path]/[PHP API]. The sample of BunnyLoader mentioned previously is configured to communicate\r\nwith the C2 server located at hxxp://ads[.]hostloads[.]xyz/BAGUvIxJu32I0/gate.php. While previous versions of\r\nBunnyLoader used the string Bunny in the URL path, BunnyLoader 3.0 allows the operator to specify the path\r\nname.\r\nPrior to the release of version 3.0, BunnyLoader servers used multiple PHP API endpoints to receive\r\ncommunication from clients (shown in Figure 3). All samples of BunnyLoader 3.0 observed by Unit 42 use one\r\nendpoint, gate.php.\r\nRather than sending HTTP parameters in cleartext, as seen in previous versions, BunnyLoader 3.0 will obfuscate\r\nthese values using RC4 encryption. A random 32-character key is generated each time BunnyLoader is executed,\r\nwhich is used to RC4 encrypt all HTTP query parameter values. The encrypted values are subsequently converted\r\ninto charcode and URL encoded, as seen in Figure 7, wherein a client is making an initial connection to the C2\r\nserver.\r\nFigure 7. Example of HTTP headers from an initial connection to the BunnyLoader C2 server.\r\nFor the C2 server to differentiate between client requests, each client function uses a unique URI parameter\r\nformat, along with a specific user agent. Table 1 below outlines all possible C2 communication routines, including\r\ntheir purpose and parameters used.\r\nHTTP query parameter names and values are listed in the rightmost column, with notations in parentheses to\r\nindicate usage. Unit 42 created the ID column for reference purposes.\r\nID Purpose User Agent\r\nHTTP/S URI\r\nParameters\r\n1 Establishes initial connection to the C2 server. Windows\r\nDefender\r\nipaddress\r\nhostname\r\nversion\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 9 of 26\n\n(BunnyLoader\r\nversion)\r\nsystem (Operating\r\nSystem)\r\nprivileges (Local or\r\nAdmin)\r\narch (CPU\r\nArchitecture)\r\nantivirus\r\ndisk_id (Bot ID)\r\nkey (BL Operator\r\nKey)\r\nenc_key (RC4 Key)\r\n2 Sends a heartbeat to the C2 every 50 seconds. Avast\r\nheart (BL Operator\r\nKey)\r\nhostname\r\nsystem (Operating\r\nSystem)\r\narch (CPU\r\nArchitecture)\r\nheart_enc_key (RC4\r\nKey)\r\n3\r\nSends a request every two seconds. The expected response is\r\na command run via the Windows command line.\r\nESET\r\nSECURITY\r\nhostname\r\nsystem\r\narch\r\ncecho (BL Operator\r\nKey)\r\nenc_cecho (RC4\r\nKey)\r\n4\r\nResponse to the C2 after executing the command in the\r\nprevious row.\r\nMcAffe\r\nval (BL Operator\r\nKey)\r\nhostname\r\nsystem\r\narch\r\nvalue (command\r\noutput)\r\nva_enc_key (RC4\r\nKey)\r\n5 Sends a request every two seconds. The expected response is\r\na specially formatted command parsed by the client.\r\nAVG BID (Bot ID)\r\nbid_enc_key (RC4\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 10 of 26\n\nKey)\r\n6\r\nResponse to the C2 after executing the command in the\r\nprevious row.\r\nGoogle\r\nChrome\r\nCID (Command ID)\r\nbid (Bot ID)\r\nenc_key (RC4 Key)\r\n7\r\nSends a request every two seconds. The expected response is\r\na specially formatted command parsed by the client. Used to\r\ndownload the denial-of-service (DoS) module.\r\nAvast\r\nDBID (Bot ID)\r\nDBID_enc_key\r\n(RC4 Key)\r\n8\r\nResponse to the C2 after executing the command in the\r\nprevious row.\r\nGoogle\r\nChrome\r\nDCID (Command\r\nID)\r\nDBID (Bot ID)\r\nd_enc_key (RC4\r\nKey)\r\nTable 1. BunnyLoader C2 functions and associated communications.\r\nThe C2 address, C2 path, BunnyLoader version and operator ID are all hard-coded in the binary. This function\r\nalso generates the RC4 key, as shown in Figure 8 below.\r\nFigure 8. BunnyLoader client configuration function as seen using IDA Pro.\r\nModularization of BunnyLoader Binary\r\nThe second major change in BunnyLoader 3.0 is the transition from one file to a smaller base client with features\r\navailable as downloadable modules. While most of the client code is similar to previous versions, BunnyLoader’s\r\ncustom stealer, clipper, keylogger and new DoS functions are now separated into distinct binaries. Operators of\r\nBunnyLoader can choose to deploy these modules or use BunnyLoader’s built-in commands to load their choice\r\nof malware.\r\nWhen running on a target computer, BunnyLoader will check in with the C2 every two seconds (see row five in\r\nTable 1), awaiting a specifically formatted command. These instructions facilitate the download and execution of\r\nadditional malware on the target’s computer and are formatted in the following manner:\r\n1 ID --\u003e [value]; Task_Name --\u003e [value]; Task_Args --\u003e [value]; DLL --\u003e [value]\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 11 of 26\n\nThe Task_Name and Task_Arg values are extracted from the command and passed to corresponding functions,\r\nwhich instruct the client how to download and execute the new payload. All HTTP download requests performed\r\nvia these commands will utilize either the user agent ESET NOD32 (download is saved to disk) or curl/1.0\r\n(fileless injection), and all downloaded files are saved to the victim’s %localappdata%\\Temp folder.\r\nThe client will send a response back to the C2 containing the Command ID (CID) value extracted from the\r\ncommand, using the format shown in row six of Table 1.\r\nTable 2 below summarizes all possible tasks that the C2 can send to the client.\r\nTask Name Summary\r\nDownload \u0026 Inject (Executable) [FileLess]\r\nDownloads .exe specified by Task_Arg and injects it into\r\nnotepad.exe, entirely in memory.\r\nDownload \u0026 Inject (DLL) [RTI]\r\nDownloads .dll specified by Task_Arg to the\r\n%localappdata%/Temp folder, and injects it into calc.exe. \r\nDownload \u0026 Execute (Executable)\r\nDownloads .exe specified by Task_Arg to the\r\n%localappdata%/Temp folder and executes it using\r\nCreateProcessA.\r\nDownload \u0026 Execute (DLL)\r\nDownloads .dll specified by Task_Arg to the\r\n%localappdata%/Temp folder and executes it using rundll32.\r\nDownload \u0026 Execute (Batch)\r\nDownloads .bat or .cmd script specified by Task_Arg to the\r\n%localappdata%/Temp folder and executes it using\r\nCreateProcessA.\r\nDownload \u0026 Execute (PowerShell)\r\nDownloads .ps1 specified by Task_Arg to the\r\n%localappdata%/Temp folder and executes it using\r\npowershell -ExecutionPolicy Bypass -File.\r\nDownload \u0026 Execute (VBS)\r\nDownloads .vbs specified by Task_Arg to the\r\n%localappdata%/Temp folder and executes it using\r\ncscript.exe.\r\nRun Stealer\r\nDownloads the BunnyLoader stealer module from a path\r\nhard-coded in the binary and injects it into notepad.exe,\r\nentirely in memory.\r\nRun Keylogger\r\nDownloads the BunnyLoader keylogger module from a path\r\nhard-coded in the binary and injects it into notepad.exe,\r\nentirely in memory.\r\n(Any of the following) Bitcoin, Bitcoin\r\nCash, Monero, Ethereum, Litecoin,\r\nDownloads the BunnyLoader clipper module from a path\r\nhard-coded in the binary and injects it into notepad.exe,\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 12 of 26\n\nDogecoin, ZCash, Tether, XRP entirely in memory.\r\nTable 2. BunnyLoader commands.\r\nThe new DoS module download is handled in a separate thread, which will check in with the C2 every two\r\nseconds (see row seven in Table 1), awaiting a specifically formatted command. Upon receiving the appropriate\r\ncommand, the client will download and inject the DoS module into notepad.exe.\r\nWe noted the following URL structures used to download the BunnyLoader 3.0 modules, as shown in Table 3\r\nbelow. The filenames and URL format remained constant across multiple samples.\r\nModule URL Purpose\r\nhttp://[C2]/[path]/Modules/eSentire.exe Stealer module\r\nhttp://[C2]/[path]/Modules/zScaler.exe DoS module\r\nhttp://[C2]/[path]/Modules/any_run.exe Clipper module\r\nhttp://[C2]/[path]/Modules/NextronSystems.exe Keylogger module\r\nTable 3. BunnyLoader 3.0 module URLs.\r\nThe following sections highlight the key functions of each BunnyLoader 3.0 module.\r\nKeylogger Module\r\nThe BunnyLoader 3.0 keylogger records all keystrokes, saving them to log files in the %localappdata%\\Temp\r\nfolder. The keylogger also attempts to identify when the victim authenticates to sensitive applications or services.\r\nTo do so, the keylogger uses the GetForegroundWindow and GetWindowTextA APIs to identify when the victim\r\nis interacting with targeted applications or services. It will log the respective keystrokes to separate, hard-coded\r\nfiles, as shown in Table 4 below.\r\nWindow Title or Application Name Log Location (Hard-Coded)\r\nCredentialUIBroker.exe\r\nmstsc.exe\r\n%localappdata%\\Temp\\ADE_RDP.txt\r\nLog in to your PayPal %localappdata%\\Temp\\ADE_PAYPAL.txt\r\nNord Account %localappdata%\\Temp\\ADE_NORD.txt\r\nSign in - chase.com %localappdata%\\Temp\\ADE_CHASE.txt\r\nBank of America - Banking, Credit Cards, Loans %localappdata%\\Temp\\ADE_BOA.txt\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 13 of 26\n\nSign On to View Your Personal Accounts | Wells Fargo %localappdata%\\Temp\\ADE_WF.txt\r\nCiti.com %localappdata%\\Temp\\ADE_CITI.txt\r\nAll other keystrokes %localappdata%\\Temp\\ADE_KEY.txt\r\nTable 4. BunnyLoader keylogger log file locations.\r\nStealer Module\r\nThe BunnyLoader 3.0 stealer module operates autonomously, stealing credentials and exfiltrating data directly to\r\nthe C2 server, using the same http://[C2]/[path]/[PHP API] format as the base client.\r\nAll information theft functions will store collected data in the %localappdata%\\Temp\\ADE_LOGS folder. The\r\nstealer is also responsible for uploading logs from the keylogger module, which it will search for and copy to the\r\nsame folder.\r\nOnce all data has been collected, the stealer will use PowerShell to compress the ADE_LOGS folder into a .zip\r\nfile. Before exfiltrating the .zip, the stealer will send a GET request to the C2 with a summary of the stolen data,\r\nwith the user agent Windows Defender.\r\nQuery parameters of the HTTP GET requests are outlined in Table 5 below.\r\nHTTP Query Parameter Value\r\ntheft_id Bot ID\r\nipaddress Target IP address\r\nsystem Operating system\r\nchromium Number of browsers captured\r\nmessages Number of messaging services captured\r\nwallets Number of crypto wallets captured\r\nkeystrokes Number of keystroke log files found\r\ngames Number of gaming platforms captured\r\nvpns Number of VPN services captured\r\nfiles Number of targeted files captured (see Appendix for targeted file extensions)\r\nextensions Number of Chrome extensions captured\r\ntype Hard-coded value of ZIP\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 14 of 26\n\nsize Size of ZIP file\r\nlink String in the format: http://[C2]/[path]/Logs/ADE_LOGS_[hostname].zip\r\nkey_code Operator ID\r\nenc_key RC4 Key\r\nTable 5. BunnyLoader stealer module, parameters in the first request to C2.\r\nIf the C2 responds appropriately, the stealer module will upload the .zip file, using the user agent Uploader and a\r\ncustom Content-Type HTTP header, as shown in Figure 9 below. Once the upload is complete, the stealer will\r\ndelete the collected data and the .zip file.\r\nFigure 9. HTTP traffic of data exfiltration by BunnyLoader’s stealer module.\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 15 of 26\n\nA full list of information targeted by the stealer module can be found in the Appendix.\r\nClipper Module\r\nThe BunnyLoader 3.0 clipper module periodically checks in with the C2, using the communication routine\r\nspecified in rows five and six of Table 1. The C2 activates the clipper by sending the name of a cryptocurrency\r\nwallet to the target, along with a corresponding wallet address controlled by the threat actor.\r\nThe clipper uses regex patterns to identify whether the target’s clipboard contains a desired wallet address type. If\r\nit finds a match, it will replace the victim’s address with the malware operator’s address. Table 6 below shows the\r\ntargeted wallets and the regex statements used to identify them.\r\nWallet Regex\r\nBitcoin_Legacy ^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$\r\nBitcoin_Bech32 ^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$\r\nerc-20 ^T[1-9A-HJ-NP-Za-km-z]{33}$\r\ntrc-20 ^0x[0-9a-fA-F]{40}$\r\nBitcoin Cash ^((bitcoincash:)?(q|p)[a-z0-9]{41})\r\nMonero ^4([0-9]|[A-B])(.){93}\r\nLitecoin ^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$\r\nDogecoin ^[DB][1-9A-HJ-NP-Za-km-z]{26,34}$\r\nZCash ^t1[a-zA-Z0-9]{33}$\r\nxrp_address r[1-9A-HJ-KM-NP-Za-km-z]{25,34}\r\nTable 6. Wallets targeted by the BunnyLoader 3.0 clipper module and their associated regex patterns.\r\nDenial of Service Module\r\nThe BunnyLoader 3.0 DoS module waits for commands from the C2 using the communication routine specified in\r\nrows seven and eight of Table 1. The C2 can instruct the module to perform either a GET or POST HTTP flood\r\nattack against a specified URL.\r\nTo perform the attack, the module will spawn a new thread and enter an infinite loop, repeatedly sending GET or\r\nPOST requests to the target server with the following user agent:\r\nMozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 16 of 26\n\nIn the ever changing landscape of MaaS, BunnyLoader continues to evolve, demonstrating the need for threat\r\nactors to frequently retool to evade detection. Revealing these evolving tactics and the dynamic nature of this\r\nthreat empowers readers to bolster their defense posture and better protect their assets.\r\nProtections and Mitigations\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nAdvanced WildFire:\r\nAdvanced WildFire recognizes and blocks the samples referenced in this post as malicious.\r\nCortex XDR:\r\nCortex XDR recognizes and blocks the samples referenced in this post as malicious.\r\nNext-Generation Firewalls (NGFW):\r\nAdvanced URL Filtering and DNS Security block related malicious URLs and IP addresses.\r\nPrisma Cloud:\r\nCompute WildFire integration allows for Prisma Cloud’s runtime compute defender agents to\r\ndetect, alert on and prevent known malicious malware within cloud resources including virtual\r\nmachines, serverless and containers.\r\nThe Web Application and API Security (WAAS) module is a Prisma Cloud Defender agent-based\r\napplication that allows Prisma Cloud to detect, alert on and prevent malicious API and cloud web\r\napplication HTTP requests. Deploying the WAAS module on cloud-based Web Application and API\r\nendpoints can detect and prevent the initial compromising events used by BunnyLoader 3.0.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nFiles for BunnyLoader:\r\nSHA256 Notes\r\nFirst\r\nSeen\r\n3a64f44275b6ff41912654ae1a4af1d9c629f94b8062be441902aeff2d38af3e UPX-packed\r\nEXE\r\nSep.\r\n9,\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 17 of 26\n\n2023\r\n0f425950ceaed6578b2ad22b7baea7d5fe4fd550a97af501bca87d9eb551b825\r\nUPX-packed\r\nEXE\r\nSep.\r\n9,\r\n2023\r\n82a3c2fd57ceab60f2944b6fea352c2aab62b79fb34e3ddc804ae2dbc2464eef\r\nThemida-packed EXE\r\nNov.\r\n11,\r\n2023\r\n2ab21d859f1c3c21a69216c176499c79591da63e1907b0d155f45bb9c6aed4eb\r\nPureCrypter\r\nEXE\r\nNov\r\n18,\r\n2023\r\nc006f2f58784671504a1f2e7df8da495759227e64f58657f23efee4f9eb58216\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\n52b7cdf5402f77f11ffebc2988fc8cdcd727f51a2f87ce3b88a41fd0fb06a124\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\n5f09411395c8803f2a735b71822ad15aa454f47e96fd10acc98da4862524813a\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\ncc2acf344677e4742b22725ff310492919499e357a95b609e80eaddc2b155b4b\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\nebc17dbf5970acb38c35e08560ae7b38c7394f503f227575cd56ba1a4c87c8a4\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\n2d39bedba2a6fb48bf56633cc6943edc6fbc86aa15a06c03776f9971a9d2c550\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\n2e9d6fb42990126155b8e781f4ba941d54bcc346bcf85b30e3348dde75fbeca1\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\n74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 18 of 26\n\nfffdf51cdb54f707db617b29e2178bb54b67f527c866289887a7ada4d26b7563\r\nPureCrypter\r\nEXE\r\nNov.\r\n18,\r\n2023\r\n62f041b12b8b4e0debd6e7e4556b4c6ae7066fa17e67900dcbc991dbd6a8443f\r\nPureCrypter\r\nEXE\r\nDec.\r\n16,\r\n2023\r\n1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8\r\n(BunnyLoader 3.0 Dropper)\r\n.cmd script\r\nFeb.\r\n14,\r\n2024\r\nc80a63350ec791a16d84b759da72e043891b739a04c7c1709af83da00f7fdc3a\r\n(BunnyLoader 3.0)\r\nEXE payload\r\nfrom the above\r\n.cmd script\r\nFeb.\r\n14,\r\n2024\r\nBunnyLoader Network Indicators:\r\nBotID C2 IP address Seen\r\nBotID=880873019 37.139.129[.]145 September 2023\r\nBotID=3565265299 37.139.129[.]145 September 2023\r\nBotID=272148461 37.139.129[.]145 September 2023\r\nBotID=2475708340 37.139.129[.]145 September 2023\r\nBotID=2341255921 37.139.129[.]145 September 2023\r\nBotID=3763204704 185.241.208[.]83 October 2023\r\nBotID=337525325 185.241.208[.]83 October 2023\r\nBotID=2098524523 185.241.208[.]83 October 2023\r\nBotID=774055690 185.241.208[.]83 October 2023\r\nBotID=3408378377 195.10.205[.]23 November 2023\r\nBotID=2219025839 195.10.205[.]23 November 2023\r\n172.105.124[.]34 November 2023\r\n185.241.208[.]104 November 2023\r\nBotID=4040267350 134.122.197[.]80 December 2023\r\nBotID=1662989558 134.122.197[.]80 December 2023\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 19 of 26\n\nBotID=3860674539 134.122.197[.]80 December 2023\r\nYARA Rule\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\nrule u42_crime_win_bunnyloader_3\r\n{\r\nmeta:\r\n  author = \"Unit 42 Threat Intelligence\"\r\n  date = \"2024-02-28\"\r\n  description = \"Detects Bunnyloader 3.0, a loader with additional capabilities including keylogger,\r\nstealer, clipper, and DoS modules.\"\r\n  hash1 = \"c80a63350ec791a16d84b759da72e043891b739a04c7c1709af83da00f7fdc3a\"\r\n  malware_family = \"bunnyloader\"\r\nstrings:\r\n  $x1 = \"Windows Defender\" fullword ascii\r\n  $x2 = \"ONLINE\" fullword ascii\r\n  $x3 = \"Blacklisted\" fullword ascii\r\n  $x4 = \"ESET NOD32\" fullword ascii\r\n  $x5 = \"McAffee\" fullword ascii\r\n  $x6 = \"SecurityCenter2 path AntiVirusProduct get displayName\" fullword ascii\r\n  $cc1 = \"\u0026va_enc_key=\" fullword ascii\r\n  $cc2 = \"\u0026value=\" fullword ascii\r\n  $cc3 = \"\u0026arch=\" fullword ascii\r\n  $cc4 = \"\u0026system=\" fullword ascii\r\n  $cc5 = \"\u0026hostname\" fullword ascii\r\n  $cc6 = \"\u0026DBID_enc_key=\" fullword ascii\r\n  $cc7 = \"/gate.php?DBID=\" fullword ascii\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 20 of 26\n\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n  $cc8 = \"/gate.php?DCID=\" fullword ascii\r\n  $cc9 = \"(ID|Layer|Windows_Argument)\" ascii\r\ncondition:\r\n  all of them\r\n}\r\nAppendix\r\nThis appendix contains additional information on the stealer module associated with BunnyLoader 3.0.\r\nStealer Module: Target Enumeration Log Format\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n------------------\u003eBunnyLoader (A.D.E) 3.0\u003c--------------------\r\nA. Architecture --\u003e\r\nB. Graphics Processing Unit (GPU) --\u003e\r\nC. Central Processing Unit (CPU) →\r\nD. Hostname --\u003e\r\nE. Disk ID --\u003e\r\nF. System --\u003e\r\nG. AntiVirus --\u003e\r\nH. Country --\u003e\r\nI. Public IP --\u003e\r\nJ. RAM --\u003e\r\nK. UserName --\u003e\r\nL. Log Date --\u003e\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 21 of 26\n\nStealer Module: Targeted Browsers\r\n\\7Star\\7Star\\User Data\\\r\n\\CentBrowser\\User Data\\\r\n\\Chedot\\User Data\\\r\n\\Vivaldi\\User Data\\\r\n\\Kometa\\User Data\\\r\n\\Elements Browser\\User Data\\\r\n\\Epic Privacy Browser\\User Data\r\n\\uCozMedia\\Uran\\User Data\\\r\n\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\\\r\n\\CatalinaGroup\\Citrio\\User Data\\\r\n\\Coowon\\Coowon\\User Data\\\r\n\\liebao\\User Data\\\r\n\\QIP Surf\\User Data\\\r\n\\Orbitum\\User Data\\\r\n\\Comodo\\Dragon\\User Data\\\r\n\\Amigo\\User\\User Data\\\r\n\\Torch\\User Data\\\r\n\\Yandex\\YandexBrowser\\User Data\\\r\n\\Comodo\\User Data\\\r\n\\360Browser\\Browser\\User Data\\\r\n\\Maxthon3\\User Data\\\r\n\\K-Melon\\User Data\\\r\n\\Google\\Chrome\\User Data\\\\Sputnik\\Sputnik\\User Data\\\r\n\\Nichrome\\User Data\\\r\n\\CocCoc\\Browser\\User Data\\\r\n\\Uran\\User Data\\\r\n\\Chromodo\\User Data\\\r\n\\Mail.Ru\\Atom\\User Data\\\r\n\\Microsoft\\Edge\\User Data\\\r\n\\BraveSoftware\\Brave-Browser\\User Data\\\r\nStealer Module: Targeted Cryptocurrency Wallets\r\nArmory\r\nBytecoint\r\nJaxx\r\nExodus\r\nEthereum\r\nAtomic\r\nCoinomi\r\nZCash\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 22 of 26\n\nGuarda\r\nStealer Module: Targeted File Extensions and File System Locations\r\n.txt\r\n.csv\r\n.log\r\n.json\r\n.xml\r\n.html\r\n.md\r\n.yaml\r\n.bat\r\n.ps1\r\n.doc\r\n.docx\r\n.odt\r\n.pp\r\n.pptx\r\n.rtf\r\n.css\r\n.vbs\r\n.php\r\n.c\r\n.cpp\r\n.cs\r\n.PNG\r\n.png\r\n.jpeg\r\n.jpg\r\n.db\r\n.sql\r\n.rdp\r\n.yar\r\n.yara\r\n(Current User Directory)\r\nDocuments\r\nDownloads\r\nMusic\r\nPictures\r\nVideos\r\nStealer Module: Targeted VPNs, Gaming and Messaging Platforms\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 23 of 26\n\nProtonVPN\r\nOpenVPN\r\nTox\r\nSignal\r\nElement\r\nICQ\r\nSkype\r\nDiscord\r\nMinecraft\r\nUbisoft Game Launcher\r\nUplay\r\nStealer Module: Targeted Wallets\r\nExtension Description\r\nfhbohimaelbohpjbbldcngcnapndodjp \\Chrome Binance\r\nfihkakfobkmkjojpchpfgcmhfjnmnfpi \\Chrome Bitapp\r\naeachknmefphepccionboohckonoeemg \\Chrome Coin98\r\nblnieiiffboillknjnepogjhkgnoapac \\Chrome Equal\r\nnanjmdknhkinifnkgdcggcfnhdaammmj \\Chrome Guild\r\nflpiciilemghbmfalicajoolhkkenfel \\Chrome Iconex\r\nafbcbjpbpfadlkmhmclhkeeodmamcflc \\Chrome Math\r\nfcckkdbjnoikooededlapcalpionmalo \\Chrome Mobox\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa \\Chrome Phantom\r\nibnejdfjmmkpcnlpebklmnkoeoihofec \\Chrome Tron\r\nbocpokimicclpaiekenaeelehdjllofo \\Chrome XinPay\r\nnphplpgoakhhjchkkhmiggakijnkhfnd \\Chrome Ton\r\nnkbihfbeogaeaoehlefnkodbefgpgknn \\Chrome Metamask\r\nfhmfendgdocmcbmfikdcogofphimnkno \\Chrome Sollet\r\npocmplpaccanhmnllbbkpgfliimjljgo \\Chrome Slope\r\nmfhbebgoclkghebffdldpobeajmbecfk \\Chrome Starcoin\r\ncmndjbecilbocjfkibfbifhngkdmjgog \\Chrome Swash\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 24 of 26\n\ncjmkndjhnagcfbpiemnkdpomccnjblmj \\Chrome Finnie\r\ndmkamcknogkgcdfhhbddcghachkejeap \\Chrome Keplr\r\npnlfjmlcjdjgkddecgincndfgegkecke \\Chrome Cocobit\r\nfhilaheimglignddkjgofkcbgekhenbh \\Chrome Oxygen\r\njbdaocneiiinmjbjlgalhcelgbejmnid \\Chrome Nifty\r\nkpfopkelmapcoipemfendmdcghnegimn \\Chrome Liquality\r\nklfhbdnlcfcaccoakhceodhldjojboga \\Edge Auvitas\r\ndfeccadlilpndjjohbjdblepmjeahlmm \\Edge Math\r\nejbalbakoplchlghecdalmeeeajnimhm \\Edge Metamask\r\noooiblbdpdlecigodndinbpfopomaegl \\Edge MTV\r\naanjhgiamnacdfnlfnmgehjikagdbafd \\Edge Rabet\r\nbblmcdckkhkhfhhpfcchlpalebmonecp \\Edge Ronin\r\nakoiaibnepcedcplijmiamnaigbepmcb \\Edge Yoroi\r\nfbekallmnjoeggkefjkbebpineneilec \\Edge Zilpay\r\najkhoeiiokighlmdnlakpjfoobnjinie \\Edge Terra Station\r\ndmdimapfghaakeibppbfeokhgoikeoci \\Edge Jaxx\r\nStealer Module: Credit Cards\r\nBCGLobal\r\nCarte Blanche\r\nDiners Club\r\nDiscover\r\nInsta Payment\r\nKorean Local\r\nLaser\r\nMaestro\r\nMastercard\r\nSwitch\r\nUnion Pay\r\nVisa Master\r\nStealer Module: Miscellaneous Targets\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 25 of 26\n\n\\AppData\\Local\\ngrok\\ngrok.yml\r\n\\AppData\\Local\\ngrok\r\nUpdated March 15, 2024, at 3:15 p.m. PT to change Nanocore to PureCrypter in the Executive Summary. \r\nUpdated April 4, 2024, at 9:o5 a.m. to adjust the YARA rule. \r\nSource: https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nhttps://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/\r\nPage 26 of 26\n\n https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/ \nFigure 5. Advertisement for BunnyLoader 3.0 on Telegram.\n Page 7 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/" ], "report_names": [ "analysis-of-bunnyloader-malware" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434000, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4748c08a76333b79d2a3fc116435da542fad3413.pdf", "text": "https://archive.orkl.eu/4748c08a76333b79d2a3fc116435da542fad3413.txt", "img": "https://archive.orkl.eu/4748c08a76333b79d2a3fc116435da542fad3413.jpg" } }