{
	"id": "d13e4f5f-bcf2-44dc-96da-9e80d8f1a10c",
	"created_at": "2026-04-06T00:21:06.180622Z",
	"updated_at": "2026-04-10T03:34:17.336483Z",
	"deleted_at": null,
	"sha1_hash": "7d75c18fe072403a2b67049e36f74fd06ec6b9e2",
	"title": "LESLIELOADER – Undocumented Loader Observed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2930797,
	"plain_text": "LESLIELOADER – Undocumented Loader Observed\r\nBy Marc Messer\r\nPublished: 2024-03-13 · Archived: 2026-04-05 12:53:32 UTC\r\nKey Takeaways\r\nKroll has observed a new loader for SPARKRAT malware used in ongoing campaigns.\r\nWhile SPARKRAT development has officially ceased, unofficially it has continued to be modified by\r\nthreat actors as needed.\r\nOne of these new changes is a previously undocumented loader, identified by the AES key\r\n“LeslieCheungKwok”.\r\nSummary\r\nKroll observed the use of SPARKRAT in conjunction with a previously undocumented loader written in Golang.\r\nThe loader assists in the initial infection and deployment of the malicious payload, enabling SPARKRAT to\r\nexecute on a system. This process allows the payload to reach the target system undetected and unquarantined.\r\nThe loader achieves its goal by decoding and decrypting a secondary payload binary, then injecting it into a\r\nnotepad.exe instance. This injection allows the malware to blend with legitimate system activity as it shares the\r\nmemory space of a legitimate application. Despite detection tools’ ability to mitigate process injections, they\r\nremain a common evasion tactic.\r\nGitHub developer XZB-1248 wrote and released SPARKRAT, a Golang binary compiled for multiple platforms,\r\nas an open-source, feature-rich remote admin tool on GitHub on March 18, 2022. Even though the developer\r\nabandoned the project in February 2023, intrusion investigations continue to discover modified versions of\r\nSPARKRAT. The “DRAGONSPARK” campaign, notorious for its attacks against organizations in East Asia,\r\nfrequently uses this malware. SPARKRAT interprets its embedded Golang source code at runtime, which\r\ncomplicates analysis and static detections.\r\nA source code repository very similar to LESLIELOADER has been identified alongside with instructions on how\r\nto utilize the loader for any payload necessary, originally timestamped June 7, 2022. Steps include generating a\r\nshellcode payload, AES encrypting the payload, and generating the executable. Additionally, the author posted\r\nproofs of running the samples against various antivirus and sandbox tools. However, there are some key\r\ndifferences from LESLIELOADER. Unlike the samples observed by Kroll, this loader does not beacon out a\r\nnetwork connection. Additionally, this loader does not use process injection for code execution or a secondary file\r\nfor payload.\r\nhttps://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nPage 1 of 8\n\nFigure 1: Similar Code Repository\r\nLater forks of this repository show modified versions of the initial loader, which begin to implement Base64\r\ndecoding. Continued modification of this original source code likely resulted in the version covered within this\r\narticle.\r\nhttps://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nPage 2 of 8\n\nFigure 2: Forked Repository Showing Addition of Base64 Decoding Stage\r\nKroll has identified and triaged additional LESLIELOADER samples and has observed them to contain Cobalt\r\nStrike configurations as well as other payloads, so this loader is not limited to SPARKRAT.\r\nFirst Loader Stage\r\nThe loader begins with two files, Ntmssvc.dll and RemovableStorage.dll. Upon execution of Ntmssvc.dll with the\r\n/runcode flag, RemovableStorage.dll is read from C:\\\\Windows\\System32\\. Ntmssvc.dll contains the loader\r\nfunctionality, and RemovableStorage.dll functions as the payload.\r\nhttps://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nPage 3 of 8\n\nFigure 3: RemovableStorage.dll File Read into Memory\r\nRemovableStorage.dll is not a true PE file and does not contain the structure needed by the Windows PE loader to\r\nrun independently. Instead, it serves as a payload data file that has undergone both Base64 encoding and AES 192-\r\nbit encryption.\r\nNtmssvc.dll initially attempts to beacon out to 209.141.50[.]215:443, however, this execution can be skipped in\r\nfavor of overwriting the instruction pointer to the storage decoding function.\r\nFigure 4: HTTP Beacon Attempt\r\nFigure 5: Jumping to the Loader Function\r\nStepping through the storage decoding function, the last 32 bytes of RemovableStorage.dll are Base64 decoded\r\nand loaded into the RDI register, with LeslieCheungKwok loaded into the RCX register. The system then Base64\r\ndecodes RemovableStorage.dll and uses LeslieCheungKwok as the AES key to decrypt the resulting payload of\r\ndata, with the 32 bytes from the end of RemovableStorage.dll serving as the IV. The resulting payload contains\r\nadditional Base64 encoded data.\r\nhttps://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nPage 4 of 8\n\nFigure 6: AES Key and IV are Loaded into Memory\r\nSecond Loader Stage\r\nStepping into the loader for this decrypted and decoded output, we continue to see Base64 decoding occur to\r\nportions of our file.\r\nFigure 7: Further Base64 Decoding\r\nInspecting this, we see snippets of what appears to be shellcode using CyberChef.\r\nhttps://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nPage 5 of 8\n\nFigure 8: CyberChef Recipe and Output\r\nTo continue observing the loader’s behavior to the memory pages containing these payloads, we set hardware\r\nbreakpoints for memory access to them. Ultimately, we can observe the final payload for process injection\r\ndynamically calculated to have the size of 83DA50 in registers RCX and RDX.\r\nFigure 9: Preparing for process injection.\r\nFigure 10: Final Payload Size in RAX and RDX\r\nProcess injection to notepad.exe begins with a matching payload size in register r8 when memory is being\r\nallocated.\r\nhttps://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nPage 6 of 8\n\nNotepad.exe is launched as a suspended process, however, there are additional artifacts of note within the loader\r\nindicating other processes such as calc.exe and cmd.exe. While they do not appear to be used in this sample for\r\ninjection, the analysis of the use of these processes is out of scope.\r\nFigure 11: Acquiring Pointer to notepad.exe\r\nOnce notepad.exe is created as a suspended process, Ntmssvc.dll overwrites the process memory for notepad.exe\r\nto manipulate the entry point. Prior to overwriting the entry point, notepad.exe proceeds as follows:\r\nFigure 12: Original Entry Point\r\nOnce the notepad.exe entry point has been overwritten, the memory address of our SPARKRAT payload is loaded\r\ninto RAX and jumped to, beginning execution of the malware.\r\nhttps://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nPage 7 of 8\n\nFigure 13: Modified entry point\r\nThis now allows for the injected payload to be executed as notepad.exe.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nhttps://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed"
	],
	"report_names": [
		"leslieloader-undocumented-loader-observed"
	],
	"threat_actors": [
		{
			"id": "235831df-8daf-4a88-945e-db4e7ef06ac6",
			"created_at": "2023-11-17T02:00:07.606121Z",
			"updated_at": "2026-04-10T02:00:03.458263Z",
			"deleted_at": null,
			"main_name": "DragonSpark",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonSpark",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "99aa0795-8936-45db-a397-6d01131fcdcd",
			"created_at": "2023-02-18T02:04:24.085379Z",
			"updated_at": "2026-04-10T02:00:04.654299Z",
			"deleted_at": null,
			"main_name": "DragonSpark",
			"aliases": [],
			"source_name": "ETDA:DragonSpark",
			"tools": [
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"GotoHTTP",
				"SharpToken",
				"SinoChopper",
				"SparkRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434866,
	"ts_updated_at": 1775792057,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d75c18fe072403a2b67049e36f74fd06ec6b9e2.pdf",
		"text": "https://archive.orkl.eu/7d75c18fe072403a2b67049e36f74fd06ec6b9e2.txt",
		"img": "https://archive.orkl.eu/7d75c18fe072403a2b67049e36f74fd06ec6b9e2.jpg"
	}
}