{
	"id": "2863dce0-b398-4edc-91f8-a0d05a45cdd6",
	"created_at": "2026-04-06T00:17:36.726831Z",
	"updated_at": "2026-04-10T13:11:28.570063Z",
	"deleted_at": null,
	"sha1_hash": "7c81e1e44698ef36700d3bd59671c40453144038",
	"title": "Gapz and Redyms droppers based on Power Loader code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82909,
	"plain_text": "Gapz and Redyms droppers based on Power Loader code\r\nBy Aleksandr Matrosov\r\nArchived: 2026-04-05 18:21:04 UTC\r\nMalware\r\nTechnical analysis of Power Loader, a special bot builder for making downloaders for other malware families and\r\nyet another example of specialization and modularity in malware production.\r\n19 Mar 2013  •  , 2 min. read\r\nPower Loader is a special bot builder for making downloaders for other malware families and yet another example\r\nof specialization and modularity in malware production. The first time Power Loader was detected was in\r\nSeptember 2012, using the family detection name Win32/Agent.UAW. This bot builder has been used for\r\ndeveloping Win32/Gapz droppers (Win32/Gapz: steps of evolution) since October 2012. Starting from November\r\n2012, the malware known as Win32/Redyms (What do Win32/Redyms and TDL4 have in common?) used Power\r\nLoader components in its own dropper. The price for Power Loader in the Russian cybercrime market is around\r\n$500 for one builder kit with C\u0026C panel. (The image at the top of this post is the product logo used by the seller.)\r\nThe first version of the Power Loader builder was compiled at the beginning of September 2012. The time stamp\r\nof the compiled file is presented here:\r\nhttps://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/\r\nPage 1 of 4\n\nPower Loader uses one main C\u0026C URL and two reserve URL’s. All configuration data is stored into the .cfg\r\nsection of the executable file. Configuration information is stored in plain text format, not encrypted.\r\nThe bot identifier is based on the unique MachineGuid value, which is stored in the system registry using random\r\nalphabetical symbols. This bot identifier is used to create the mutex and identify infection status.\r\nDifferent dropper families have different export tables after unpacking the original dropper executable. The first\r\nversion of the Power Loader export table looks like this:\r\nIn the first version we didn't recognize the code injection method used to bypass HIPS used in Gapz. But the\r\nsecond version of Power Loader has special markers for the code injection method which is described at the\r\nbeginning and the end of the shellcode. The export table is presented here:\r\nhttps://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/\r\nPage 2 of 4\n\nIn the case of Win32/Redyms the export table looks like this:\r\nThis method of injecting code into explorer.exe is used for bypassing HIPS detection and is based on a technique\r\nfor injecting code into a trusted process. More details have already been published one of my previous blog posts\r\n(Win32/Gapz: steps of evolution) and French researcher Axel Souchet published the PoC code for this technique.\r\nOne more interesting fact is that Power Loader uses the open source disassembler “Hacker Disassembler Engine”\r\n(also known as HDE) for code injection. And the same engine is used by Win32/Gapz in one of the bootkit\r\nshellcode modules. This doesn't prove that the developer of Power Loader and Gapz is the same person, but is\r\nnevertheless an interesting finding.\r\nWe continue our research and will be back soon with more interesting information.\r\nAleksandr Matrosov, Security Intelligence Team Lead\r\nSHA1 hashes for analyzed samples:\r\n Power Loader v1 (builder) - a189ee99eff919b7bead989c6ca252b656b61137\r\n Power Loader v1 (dropper) - 86f4e140d21c97d5acf9c315ef7cc2d8f11c8c94\r\n Power Loader v2 (dropper) - 7f7017621c13065ebe687f46ea149cd8c582176d\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/\r\nPage 3 of 4\n\nSource: https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/\r\nhttps://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/"
	],
	"report_names": [
		"gapz-and-redyms-droppers-based-on-power-loader-code"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434656,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c81e1e44698ef36700d3bd59671c40453144038.pdf",
		"text": "https://archive.orkl.eu/7c81e1e44698ef36700d3bd59671c40453144038.txt",
		"img": "https://archive.orkl.eu/7c81e1e44698ef36700d3bd59671c40453144038.jpg"
	}
}