{
	"id": "eb7631f3-dc43-4ef8-b935-8dbae5a5b785",
	"created_at": "2026-04-06T01:29:48.620554Z",
	"updated_at": "2026-04-10T03:21:27.980212Z",
	"deleted_at": null,
	"sha1_hash": "6e4b63e71d4176f08c68d484450937fd294fa943",
	"title": "NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4926374,
	"plain_text": "NetDooka Framework Distributed via PrivateLoader Malware as\r\nPart of Pay-Per-Install Service\r\nBy Aliakbar Zahravi, Leandro Froes ( words)\r\nPublished: 2022-05-05 · Archived: 2026-04-06 01:02:55 UTC\r\nMalware\r\nThis report focuses on the components and infection chain of the NetDooka framework. Its scope ranges from the\r\nrelease of the first payload up until the release of the final RAT that is protected by a kernel driver.\r\nBy: Aliakbar Zahravi, Leandro Froes May 05, 2022 Read time: 9 min (2379 words)\r\nSave to Folio\r\nWe recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of\r\nsome of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple\r\nparts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that\r\nimplements its own network communication protocol. During our analysis, we discovered that NetDooka was\r\nbeing spread via the PrivateLoader malware which, once installed, starts the whole infection chain.\r\nAs previously described by Intel471, the PrivateLoader malware is a downloader responsible for downloading and\r\ninstalling multiple malware into the infected system as part of the PPI service. Due to the way the PPI service\r\nworks, the exact payloads that would be installed might differ depending on the malware version. Some of the\r\nknown malware families that are reportedly being distributed via PPI services include SmokeLoader, RedLine, and\r\nAnubis.\r\nThis report focuses on the components and infection chain of the NetDooka framework. Its scope ranges from the\r\nrelease of the first payload, which drops a loader that creates a new virtual desktop to execute an antivirus software\r\nuninstaller and interact with it by emulating the mouse and pointer position — a necessary step to complete the\r\nuninstallation process and prepare the environment for executing other components — up until the release of the\r\nfinal RAT that is protected by a kernel driver.\r\nHowever, while we describe all the different features we found, NetDooka’s features might still vary depending on\r\nthe malware version since it is still in its development phase.\r\nAttack overview \r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 1 of 25\n\nFigure 1. Infection chain of the attack\r\nThe infection starts when a user inadvertently downloads PrivateLoader, usually through pirated software\r\ndownloads (as mentioned in the Intel471 report), followed by the installation of the first NetDooka malware, a\r\ndropper component that is responsible for decrypting and executing the loader component.\r\nThe loader then performs certain checks to ensure that it is not running in a virtual environment, after which it\r\ndownloads another malware from the remote server. It might also install a kernel driver for future use.\r\nThe downloaded malware is another dropper component that is executed by the loader. This dropper is responsible\r\nfor decrypting and executing the final payload, a full-featured RAT containing multiple capabilities such as starting\r\na remote shell, grabbing browser data, taking screenshots, and gathering system information. It might also start the\r\ninstalled kernel driver component to protect the dropped payload.\r\nLoader analysis\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 2 of 25\n\nFigure 2. NetDookaLoader flow chart (Click to enlarge)\r\nUpon execution, the loader will deobfuscate strings, such as the command-and-control (C\u0026C) server address, and\r\ncheck for the command-line arguments that were passed. The malware accepts multiple arguments that indicate\r\nwhat action should be taken.\r\nArgument Function\r\n001 Uninstalls Avira programs\r\n004 Uninstalls Viper programs\r\n006 Uninstalls Total 360 programs\r\n007 Uninstalls ESET programs\r\n008 Uninstalls GData programs\r\nembedded Downloads the dropper component and renames it to reloadbitex.exe\r\ncorrect Blocks antivirus vendor domains, install driver and delete loader\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 3 of 25\n\n\u003cNo\r\nARG\u003e\r\nDownloads the dropper component, executes itself using the “embedded” and “correct”\r\narguments and creates a scheduled task for downloaded NetDookaDropper\r\nTable 1. Command-line arguments and their functions\r\nFigure 3. NetDookaLoader argument’s check\r\nIf no parameter is passed to the loader, it executes a function called “DetectAV()” that queries the registry to\r\nautomatically identify the antivirus products available in order to uninstall them. The malware does this by\r\ncreating a new virtual desktop using CreateDesktopA, which is used as a workspace for launching the proper\r\nbinary uninstaller program. This is accomplished through the use of CreateProcessA with the “create_no_window”\r\nflag, as well as through the emulation of human interactions such as controlling the mouse to complete the\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 4 of 25\n\nuninstallation process. Each antivirus uninstaller function has its own removal technique based on uninstallation\r\nprocess. Figure 4 shows an example of the GData antivirus removal.\r\nFigure 4. Uninstalling an antivirus program\r\nThe loader then creates a working directory in the %ProgramFiles% such as \"ReservHardwareUpdater\" or\r\n\"ExMultimediaStorage\" (please note that the directory name could be in different samples) to keep a copy of itself\r\nand other files, such as the next stage payload in there. After that, the malware executes the copy of itself with an\r\nembedded/delected argument.\r\nIn some variants, the loader downloads the next stage's payload twice: once when the malware runs with no\r\nparameters (this binary never runs such as \"rsvr_updldr.exe\") and once when the loaded executes a copy of itself\r\nwith an embedded/deletced parameter (this later on binary executes via scheduled task). \r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 5 of 25\n\nFigure 5. NetDookaLoader downloading the next stage of the attack via bitsadmin.exe\r\nFigure 6. Self-execution with “embedded” argument\r\nThe “embedded” argument is responsible for downloading the dropper component and saving it as\r\n“%ProgramFiles%\\ReservHardwareUpdater\\reloadbitex.exe”.\r\nThe loader component executes itself again using the “correct” argument. Once this is done, it blocks antivirus\r\nvendor domains by modifying the hosts file, redirecting their domains to “0.0.0.0” address and deletes itself using\r\nthe following command:\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 6 of 25\n\nFigure 7. Blocking antivirus domains\r\nIn some variants of the malware, the loader installs a driver to act as a kernel-mode protection for the final payload\r\n(RAT component). It accomplishes this by registering as a mini-filter driver and setting callback functions to\r\nprotect the malware against file deletion and process termination.\r\nThe driver binary is Base64-encoded within the loader and, once decoded, has its content written to the\r\n“C:\\Program Files\\SolidTechnology\\protdrv.sys” file. Although the loader creates a service to install the driver, it\r\ndoes not start it. Instead, the driver start task is performed by the dropper component.\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 7 of 25\n\nFigure 8. Driver installer function\r\nAt the end, the loader creates the following scheduled task for the downloaded dropper:\r\nFigure 9. Create a scheduled task function (Click to enlarge)\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 8 of 25\n\nDropper analysis\r\nWe discovered two different dropper components involved in the NetDooka attack chain: One is installed by the\r\nPrivateLoader that drops the NetDooka loader, while the other one drops the final RAT payload.\r\nThe dropper component is a small .NET binary responsible for decrypting and executing a payload it has\r\nembedded. The malware starts by reading its own file content and looking for a specific byte sequence (in the\r\nsample we analyzed, this was “\\x11\\x42\\x91\\x50\\x7F\\xB4\\x6C\\xAA\\x75\\x5E\\x8D”) to get the bytes next to it.\r\nThe payload decryption is achieved by performing an XOR operation in the decrypted payload that uses a single-byte key and subtracts the index value from the final value for each decryption loop iteration. The key is resolved\r\nby creating a prime number list of a specific size and iterating through it. For each iteration, the SHA-256 hash of\r\nthe current list element is generated and the first byte of the hash result is then added to a single-byte variable, with\r\nthe final sum being the XOR key.\r\nFigure 10. The decryption routine used by NetDookaDropper\r\nOnce decrypted, the payload content is written to a file in the %Temp% directory and then executed via a new\r\nprocess. Note that both the location and the file name might be different depending on the malware version.\r\nFigure 11. The decrypted payload being executed\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 9 of 25\n\nAlthough the malware has multiple versions exhibiting some differences in behavior such as the XOR key and\r\nbyte sequence being searched, the dropper’s goal is still the same for all NetDooka’s versions we found: Execute\r\nan embedded payload within it. To automate the dropped payload extraction, we developed a Python script that can\r\nbe downloaded here.\r\nAs mentioned in the loader analysis section, some versions of the dropper component are responsible for starting\r\nthe driver component service. It’s important to mention that the dropper version that contains the driver start step\r\n(performed before the final payload decryption and execution) is the one containing the final payload.\r\nFigure 12. The dropper starting the driver component\r\nDriver analysis\r\nThe driver component acts as a kernel-level protection for the RAT component. It does this by attempting to\r\nprevent the file deletion and process termination of the RAT component. The driver registers itself as a mini-filter\r\ndriver to intercept I/O requests to the file system and set process callback functions to protect the RAT process.\r\nDuring our analysis, we noticed that the driver based its process protection implementation in the Microsoft driver\r\nexample implementation and its file deletion protection in an open source project named “Prevent_File_Deletion.”\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 10 of 25\n\nFigure 13. General view of the driver features\r\nThe driver registers as a mini-filter driver and starts it by using both the FltRegisterFilter and FltStartFiltering\r\nfunctions. File systems are typical targets for I/O operations in order to access files. A file system filter is a\r\nmechanism that a driver can use to intercept calls destined to the file system. A file system mini-filter is a model\r\ncreated to replace the Windows legacy file system filter mechanism, possessing the advantage of being easier to\r\nwrite — making it the preferred method of developing file system-filtering drivers.\r\nWhen a mini-filter driver is registered, it can set callback functions to be executed before (PreOperation) and after\r\n(PostOperation) I/O requests. For the file deletion protection, the malware registers a PreOperation callback\r\nfunction during the filter registration to intercept I/O requests of specific types to the file system. In this case, the\r\nmalware intercepts file deletion operations.\r\nOnce a file deletion operation is requested, the callback function is called, and the driver checks if the destination\r\nfile has the name “ougdwieue.exe” (name of the final RAT payload). If so, it changes the permissions of the\r\nrequest to prevent the target file from being deleted.\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 11 of 25\n\nFigure 14. RAT file name being checked and access being denied\r\nThe process protection is achieved by setting a process notification callback routine via the\r\nPsSetCreateProcessNotifyRoutine function, which would be called every time a new process is created. When the\r\ncallback is executed, the malware looks for the string “ougdwieue.exe” in the process command line to determine\r\nwhether or not the process is the expected target. \r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 12 of 25\n\nFigure 15. The process command line being checked\r\nThe driver also sets another callback routine via ObRegisterCallback to check for process operations being\r\nperformed that involve a process handle creation or duplication.\r\nWith these two callbacks in place when a process is created, the driver can check if the process being created is in\r\nfact the RAT process and the operation being performed is either a process handle creation or duplication. If so, the\r\ndriver changes the access permission to avoid applications that try to obtain a handle to the target process and\r\nterminate it.\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 13 of 25\n\nFigure 16. Process creation callback routine.\r\nFigure 17. Access to the process handle being modified\r\nRAT analysis\r\nThe final payload is a RAT that accepts commands from a remote server to execute a variety of functions such as\r\nexecuting shell commands, performing distributed denial-of-service (DDoS) attacks, downloading and executing\r\nfiles, logging keystrokes on the infected machine, and performing remote desktop operations. Figure 18 shows the\r\nlist of its functions.\r\nFigure 18. NetDookaRAT functions\r\nUpon execution, the malware employs various system checks to detect and avoid analysis environments.\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 14 of 25\n\nFigure 19. Analysis environment evasion\r\nThe malware creates a mutex named “3f0d73e2-4b8e-4539-90fd-812330bb39c8” to mark its presence on the\r\nsystem. In case it finds the same mutex in the system, it exits.\r\nBefore C\u0026C communication, NetDooka generates a 16-byte random session and stores it in a file named\r\n“config.cfg”. \r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 15 of 25\n\nFigure 20. Initializing and configuring the C\u0026C server\r\nFigure 21. The session ID generator\r\nIt then initializes its network communication components and contacts its C\u0026C server to register the victims and\r\nretrieve commands. \r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 16 of 25\n\nFigure 22. C\u0026C communication\r\nNetDookaRAT uses a custom protocol to communicate with the C\u0026C server using the format shown in Figure 23.\r\nFigure 23. The packet structure used in C\u0026C communications\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 17 of 25\n\nEach response splits into the header and data stream. The header stream contains the request type, the size and\r\noptions of the data to be sent while the data stream contains the return value of the specific function. Table 2 shows\r\na list of type values and their corresponding functions.\r\nType in decimal Type in hex Function\r\n400 0x190 Exfiltrate system information\r\n1000 0x3E8 Send session ID\r\n10 0x0A Send message\r\n8 0x08 Reverse shell\r\n16 0x10 DDoS attack\r\n19 0x13 Send file\r\n5 0x05 Download file\r\n20 0x14 Copy browser data\r\n9 0x09 Copy browser data\r\n18 0x12 Start HVNC\r\n15 0x0F Send log\r\n14 0x0E Microphone capture\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 18 of 25\n\n17 0x11 Start virtual network computing (VNC)\r\n13 0x0D Capture webcam\r\nTable 2. The type values and their corresponding functions\r\nThe code snippets in Figure 24 demonstrate how the malware constructs and sends the request shown in Table 2. \r\nFigure 24. Packet creation for requests\r\nThe malware then starts to listen for incoming TCP connections to receive commands. It then parses the received\r\ncommands to execute them on the infected machine. Figure 25 shows the commands supported by the malware\r\nwhile the code snippet in Figure 26 demonstrates how the malware performs these commands.\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 19 of 25\n\nFigure 25. RAT commands and capabilities\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 20 of 25\n\nFigure 26. Code snippet of the RAT commands\r\nConclusion\r\nPPI malware services allow malware creators to easily deploy their payloads. The use of a malicious driver creates\r\na large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as\r\nprotecting processes and files, bypassing antivirus programs, and hiding the malware or its network\r\ncommunications from the system, among others. Furthermore, with the RAT payload properly installed, malicious\r\nactors can perform actions such as stealing several critical information from the infected systems, gaining remote\r\ncontrol access to the system, and creating botnet networks. Finally, NetDooka’s capabilities allow it to act as an\r\nentry point for other malware.\r\nA list of indicators in text format can be viewed here.\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 21 of 25\n\nIndicators of Compromise (IOCs)\r\nSHA-256 Detection name\r\nPrivateLoader  \r\n4d94232ec587f991017ed134ea2635e85c883ca868b96e552f9b5ac5691cdaf5 Trojan.Win32.STOP.EL\r\nDriver  \r\n81dbe7ff247d909dc3d6aef5b5894a153886955a9c9aaade6f0e9f47033dc2fb Trojan.Win64.PROTDRIVE.A\r\n93[.]115[.]21[.]45 IoCs\r\nDropper\r\n28ad0bc330c7005637c6241ef5f267981c7b31561dc7d5d5a56e24423b63e642 TrojanSpy.MSIL.DOTCRYPT.B\r\n50ab75a7c8685f9a87b5b9eb7927ccb7c069f42fb7427566628969acdf42b345 TrojanSpy.MSIL.DOTCRYPT.B\r\n85e439e13bcd714b966c6f4cea0cedf513944ca13523c7b0c4448fdebc240be2 TrojanSpy.MSIL.DOTCRYPT.B\r\nc64a551e5b0f74efcce154e97e1246d342b13477c80ca84f99c78db5bfeb85ef TrojanSpy.MSIL.DOTCRYPT.B\r\n8fa89e4be15b11f42e887f1a1cad49e8c9c0c724ae56eb012ac5e529edc8b15c TrojanSpy.MSIL.DOTCRYPT.B\r\n531f6cb76127ead379d0315a7ef1a3fc61d8fff1582aa6e4f77cc73259b3e1f2 TrojanSpy.MSIL.DOTCRYPT.B\r\n44babb2843da68977682a74675c8375da235c75618445292990380dbc2ac23af TrojanSpy.MSIL.DOTCRYPT.B\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 22 of 25\n\n64be1332d1bf602aaf709d30475c3d117f715d030f1c38dee4e7afa6fa0a8523 TrojanSpy.MSIL.DOTCRYPT.B\r\n91791f8c459f32dc9bf6ec9f7ee157e322b252bc74b1142705dcc74fe8eced7e TrojanSpy.MSIL.DOTCRYPT.B\r\na49769b8c1d28b5bb5498db87098ee9c67a94d79e10307b67fe6a870c228d402 TrojanSpy.MSIL.DOTCRYPT.B\r\n43dcf8eea02b7286ba481ca84ec1b4d9299ba5db293177ff0a28231b36600a22 TrojanSpy.MSIL.DOTSPY.A\r\nLoader\r\nd20576f0bd39f979759cde5fb08343c3f22ff929a71c3806e8dcf0c70e0f308b Trojan.MSIL.DNRAT.A\r\n76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086 Trojan.MSIL.DNRAT.B\r\n40ee0bd60bcb6f015ad19d1099b3749ca9958dd5c619a9483332e95caee42a06 Trojan.MSIL.DNRAT.B\r\n1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72 Trojan.MSIL.KILLAV.AF\r\n2e37495379eb1a4dfae883d1e669e489877ed73f50ae26d43b5c91d6c7cb5792 Trojan.MSIL.KILLAV.AF\r\n8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e Trojan.MSIL.KILLAV.AF\r\n5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54 Trojan.MSIL.KILLAV.AF\r\nbfc99c3f76d00c56149efcf75fd73497ec62b1ed53e12d428cf253525f8be8d0 Trojan.MSIL.KILLAV.AF\r\ned98187a0895818dfa6b583463b8a6d13ebc709d6dd219b18f789e40a596e40e Trojan.MSIL.KILLAV.AF\r\n94fb2969eae7cce75c44c667332dacace155369911b425c50476d90528651584 Trojan.MSIL.KILLAV.AF\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 23 of 25\n\n07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4 Trojan.MSIL.KILLAV.AG\r\nRAT\r\n62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232 Backdoor.MSIL.DNRAT.A\r\n73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5 Backdoor.MSIL.DNRAT.A\r\nab7d39e34ad51bc3138fb4d0f7dedc4668be1d4b54a45c385e661869267ef685 Backdoor.MSIL.DNRAT.B\r\nc54a492d086930eb4d9cd0233a2f5255743b6dde22a042f2a2800f2c8fe82ce8 Backdoor.MSIL.DNRAT.B\r\nf53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70 Backdoor.MSIL.DNRAT.B\r\n55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431 Backdoor.MSIL.DNRAT.B\r\ned092406a12d68eac373b2ddb061153cb8abe38e168550f4f6106161f43dcafe Backdoor.MSIL.DNRAT.C\r\nba563dfaf572aa5b981043af3f164a09f16a2cf445498d52b299d18bb37ce904 Trojan.MSIL.DNRAT.C\r\n796df2ad288455a4047a503b671d5970788b15328ce15b512c5e3403b0c39a61 Trojan.MSIL.DNRAT.C\r\n89[.]38[.]131[.]151 IoCs\r\nDropper\r\n60bf7b23526f36710f4ef589273d92cc21d45a996c09af9a4be52368c3233af6 TrojanSpy.MSIL.DOTCRYPT.A\r\n557f35cfdd1606d53d6a3ae8d9f86013b4953c5e1c6fabc2faa57d528c895694 TrojanSpy.MSIL.DOTCRYPT.A\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 24 of 25\n\nLoader\r\ncdf3aaa9134dc1c5523902afed3ff029574f9c13bc7105c77df70d20c9312288 Trojan.MSIL.VINDOR.A\r\n85d3b0b00759d7b2c7810c65cdae7fcfe46f3a9aec9892c11156d61c99c2d92e Trojan.Win32.VINDOR.A\r\nRAT\r\n5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace Backdoor.MSIL.DNRAT.A\r\nDomains and URLs\r\nhxxp://212.193.30[.]21/\r\nhxxp://93.115.21[.]45\r\nhxxp://89[.]38[.]131[.]155\r\nhxxp://data-file-data-18[.]com\r\nhxxp://file-coin-coin-10[.]com\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nhttps://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html"
	],
	"report_names": [
		"netdooka-framework-distributed-via-privateloader-ppi.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438988,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e4b63e71d4176f08c68d484450937fd294fa943.pdf",
		"text": "https://archive.orkl.eu/6e4b63e71d4176f08c68d484450937fd294fa943.txt",
		"img": "https://archive.orkl.eu/6e4b63e71d4176f08c68d484450937fd294fa943.jpg"
	}
}