{
	"id": "20de1d9c-e8ea-48f9-b685-2505d56e7c23",
	"created_at": "2026-04-06T00:11:11.47703Z",
	"updated_at": "2026-04-10T13:13:04.740185Z",
	"deleted_at": null,
	"sha1_hash": "7dca4c6da8ca351fd25f9ce42c5272ef5e46a13d",
	"title": "Multistage Loader used to spread AZORult and NanoCore | blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5089439,
	"plain_text": "Multistage Loader used to spread AZORult and NanoCore | blog\r\nBy Sudeep Singh\r\nPublished: 2020-04-15 · Archived: 2026-04-05 16:33:40 UTC\r\nIn March 2020, ThreatLabz observed several Microsoft Office PowerPoint files being used in the wild by a threat\r\nactor to spread AZORult and NanoCore RAT. The malicious files in this campaign used an interesting payload\r\ndelivery method that distinguishes it from the common malware delivery methods observed on a daily basis. The\r\ninfection chain is modular, with multiple stages involved before the final payload is executed on the machine.\r\nSince the last week of March 2020, we observed a few changes in the encoding method and the macro code used\r\nin the loader, which we will also describe in this blog.\r\nThis campaign is active in the wild at the time of this writing.\r\nWe provide a technical description of the infection chain and the unique indicators found in the files, which we\r\nused to categorize the loader with a specific name. We also used the unique delivery method used in this\r\ncampaign, along with other attributes, to correlate this threat actor to the Aggah campaign, which was documented\r\nin April 2019 by Unit 42. \r\nThe older instances of the campaign in 2019 were used to spread the Revenge RAT. In the new instances, we have\r\nobserved a few changes in the campaign in addition to the type of final payload delivered.\r\nEmail delivery method\r\nThe malware delivery method in this campaign involves sending Microsoft Office PowerPoint files as attachments\r\nto the users. An example of the email is shown in Figure 1.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 1 of 17\n\nFigure 1: An email targeting users in Indonesia.\r\nFigure 2 shows two more email samples that show the threat actor targeting users in South Korea.\r\nFigure 2: An email targeting South Korean users with an analysis report theme.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 2 of 17\n\nFigure 3: An email targeting South Korea users with a business proposal theme.\r\nBased on the analysis of the email content and email headers, we concluded that this threat actor has been actively\r\ntargeting users in the Asian subcontinent, specifically South Korea and Indonesia. The content of the emails\r\nvaries from business proposals to product price negotiations.\r\nTechnical analysis of the multistage loader\r\nWe will take a Microsoft Office PowerPoint file as an example to demonstrate the infection chain and the various\r\nsteps involved in it.\r\nThe MD5 hash for this is: 0b0b570451b699d96c70ebf400628caa.\r\nMacro-based downloader [Stage 1]\r\nThe PowerPoint file contains a macro that leverages mshta to download the next stage payload from Pastebin.\r\nAuto_Close() in the macro ensures that the malicious code is executed only when the file is closed.\r\nAll the instances we observed in March 2020 were using j.mp as the shortened URL service to download the next\r\nstage payload.\r\nThe relevant macro code is shown in Figure 4.\r\nFigure 4: The macro code in the Microsoft Office file used to download the next stage.\r\nThe shortened URL redirects to the Pastebin URL: hxxps://pastebin[.]com/raw/rsbLNHJg, which contains the\r\nencoded next stage. We can see in Figure 5 that this Pastebin account belongs to the username LUNLAYLOO.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 3 of 17\n\nFigure 5: The encoded content of the next stage hosted on Pastebin.\r\nFigure 6 shows a screenshot of the Pastebin account hosting this content. All the content hosted by this user on\r\nPastebin is set to private.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 4 of 17\n\nFigure 6: All the pastes under the username Lunlayloo on Pastebin are set to private.\r\nAmong all the samples we analyzed in this campaign, the Pastebin accounts that were used to host the multiple\r\nstages belonged only to three individuals (listed below) and they were re-used across all the samples.\r\nlunlayloo\r\nredcobalt\r\ngogga7\r\nJavaScript loader [Stage 2]\r\nWith the help of a macro, it downloads an encoded VBScript from Pastebin as shown in Figure 7.\r\nFigure 7: The obfuscated JavaScript downloaded by the macro.\r\nThe encoding method used was consistent across all the samples we observed in March 2020. In the newer\r\nvariants seen in the wild, we observed a few changes in the encoding method, which we will describe later in this\r\nblog.\r\nThe URL-encoded text was decoded using the unescape() function.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 5 of 17\n\nThe decoded script is a VBScript as shown in Figure 8.\r\nFigure 8: The decoded VBScript used to download the next stage and start the infection chain.\r\nThe main operations performed at this stage are:\r\n1. It creates a scheduled task with the name Pornhub. This task leverages mshta to download the next stage\r\npayload from Pastebin as well. We observed the scheduled task name set to Pornhub in all the samples used\r\nin this campaign, which is another indicator we used to correlate the samples.\r\n2. The same command that was scheduled in step 1 is also immediately executed to start the infection chain.\r\n3. It creates the following three Windows registry keys for persistence (used for the backup plan as the name\r\nindicates) to ensure that the infection chain begins once the machine is restarted.\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BACKup2\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BACKup3\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\r\nThe fact that this VBScript ensures that a scheduled task is created and three backup Windows Registry keys are\r\ncreated for persistence indicates that the attacker took extra measures to ensure that the infection chain starts on\r\nthe machine.\r\nVBScript leverages PowerShell [Stage 3]\r\nIn Stage 3, another encoded VBScript is fetched from Pastebin as shown below.\r\nFigure 9: The encoded VBScript downloaded in Stage 3.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 6 of 17\n\nThis VBScript, once decoded, looks as shown in Figure 10.\r\nFigure 10: The VBScript uses PowerShell to load .NET assemblies.\r\nAs we can see in the decoded VBScript, it leverages PowerShell to continue the infection chain.\r\nBelow are the main operations performed by the PowerShell command line:\r\n1. Set the TLS version to 1.2 by setting SecurityProtocolType to 3072.\r\n2. Download a Base64 encoded blob from Pastebin. This Base64 encoded blob decodes to another\r\nPowerShell script as shown in Figure 11. The script is executed by calling IEX (Invoke Execution). We\r\nwill describe this script in more detail later.\r\nFigure 11: The PowerShell code that is used to decompress the .NET loader.\r\nIt then downloads another payload from Pastebin. This payload contains the hex representation of the binary code\r\nwith the characters “K_E” instead of “0x” as shown in Figure 12. By performing a simple replace operation, this\r\npayload is passed as a byte array to the function: [Givara]::FreeDom(). We will refer to this payload as payload2.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 7 of 17\n\nFigure 12: The encoded malicious binary downloaded from Pastebin.\r\nThe MD5 hash of the payload is: 60221d709e0ad65bb23bd00a3977c55d\r\nThis corresponds to the AZORult Delphi binary file. We will not be describing the functionality of this binary in\r\ndetail in this blog since it is a well-known infostealer. The strings are available in plain text and the screenshot in\r\nFigure 13 shows the strings corresponding to information it steals (Skype, Telegram, Steam, cryptocurrencies,\r\nPidgin and others).\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 8 of 17\n\nFigure 13: The Unicode strings in the binary file that corresponds to the information stolen.\r\nAcross all the samples we observed in this campaign, the final payload varied between AZORult and NanoCore\r\ninfostealer binaries.\r\nWe observed that the function name [Givara]::FreeDom() in the loader was consistent across all the samples.\r\nThe function name appears to be a reference to Che Guevara who is remembered as a freedom fighter by many.\r\nPowerShell starts the FreeDom loader [Stage 4]\r\nLet's take a look at the PowerShell script, which was downloaded in step 2 of stage 3. This PowerShell script\r\ncontains a GZip compressed .NET binary, which will be decompressed and stored in the\r\nvariable $decompressedByteArray\r\nStage 3 will reference the variable $decompressedByteArray to load it as a .NET assembly using the\r\nmethod [System.Reflection.Assembly]::Load().\r\nThe MD5 hash of the loader is: c726636d2b7f8c838f7f882071181c95.\r\nThe method [Givara]::FreeDom() is defined in the .NET loader and it is used to load the infostealer malicious\r\nbinary (in this case, AZORult).\r\nSo the payload execution is triggered using the following syntax:\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 9 of 17\n\nGuevara_Loader. [Givara]::FreeDom(‘notepad.exe’, infostealer_binary)\r\nHere, Guevara_Loader refers to the .NET binary used to load and inject the final infostealer binary in the\r\nnotepad.exe process.\r\nIt is important to note that there were no changes made to the loader binary by the threat actor throughout the\r\ncampaign.\r\nFreeDom .NET loader analysis\r\nThe .NET loader binary is protected using the Confuser Ex 1.0.0 obfuscator.\r\nOn VirusTotal, the first instance of the loader was observed on January 16, 2020.\r\nAfter removing the Confuser Ex 1.0.0 protection, we can decompile the binary successfully.\r\nThe [Givara]::FreeDom function, which is passed the string, notepad.exe and the AZORult binary, is shown in\r\nFigure 14.\r\nFigure 14: This is the main function of the FreeDom loader.\r\nThe parameters for FreeDom function are as follows:\r\nFTONJ – A string called notepad.exe\r\nCoco – The byte array corresponding to the AZORult binary\r\nThe HeHe class checks for the presence of notepad.exe in different system paths on the machine. Once it locates\r\nthe file, it passes that to the tickleme() function along with the AZORult byte array as shown in Figure 15.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 10 of 17\n\nFigure 15: It check for the presence of notepad.exe and injects the AZORult binary into it.\r\nThe tickleme() function, in turn, calls a function called FUN(), which is responsible for starting a new instance of\r\nthe notepad.exe process and injecting the AZORult binary into it using the process hollowing method.\r\nMacro code changes in new variants\r\nThe newer variants in this campaign updated the encoding method and the macro used.\r\nAs an example, let us look at a macro-based PowerPoint file with MD5 hash:\r\n7db36d502e4a1d35873c8a0c51bafbbf\r\nThe newer variant of the macro is as shown in Figure 16.\r\nFigure 16: The macro code in the new variant.\r\nIn this new variant, the macro creates a Windows persistence key in the location:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ and adds the command line to leverage mshta to\r\ndownload the malicious next stage payload.\r\nAs a result, the infection chain does not start unless the machine is rebooted.\r\nAlso, we observed the macro using the bit.ly URL shortening link directly instead of the j.mp URL shortening link\r\nobserved in the previous variant.\r\nEncoding changes in the new variant\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 11 of 17\n\nThe other key change we observed in the new variant is in the script encoding used for each stage. In the previous\r\nvariant, the encoding method was simple because it just involved URL encoding and the unescape() function was\r\ncalled to decode it.\r\nAn example of the new encoding method is as shown in Figure 17.\r\nFigure 17: The JavaScript code using a new encoding method for multiple stages.\r\nThis method calls eval() two times. The first eval() call corresponds to the JavaScript function, which is\r\nresponsible for XOR decryption. The second eval() call corresponds to executing the script decrypted by the first\r\neval() call.\r\nThe XOR decryption stub is as shown in Figure 18.\r\nFigure 18: The XOR decryption script.\r\nChanges in the final payload\r\nThe final payload downloaded in the newer variants is a NanoCore RAT unlike AZORult or Revenge RAT\r\nobserved in previous instances of the campaign. In this specific example, the MD5 hash of the NanoCore payload\r\nis: 35de5c352023db9d406a835ef7f318e5.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 12 of 17\n\nWe mention briefly how the NanoCore RAT is encrypted here.\r\nThe .NET assembly contains a bitmap image in the resource section as shown in Figure 19.\r\nFigure 19: The bitmap resource inside the .NET binary.\r\nThe bitmap image is accessed from the resource with the name “WinForms.Library.Properties.Resources”. The\r\nencrypted .NET assembly is extracted from the pixels of the bitmap image. This encrypted assembly is decrypted\r\nusing an XOR decryption routine and finally loaded using the Assembly.Load() method.\r\nThe relevant code sections are shown in Figure 20.\r\nFigure 20: Extracting, decrypting and loading the .NET assembly.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 13 of 17\n\nThe next stage .NET assembly is a loader that is used to decrypt the final .NET assembly, which is injected into\r\nanother process and executed.\r\nFigure 21 shows the configuration of the next stage .NET assembly.\r\nFigure 21: The main configuration of the .NET loader.\r\nThe final payload is encrypted and stored inside a resource with the name “OSkRTM8”. This payload is decrypted\r\nas shown in Figure 22.\r\nFigure 22: Payload decryption.\r\nThis decrypted payload is injected as shown in Figure 23.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 14 of 17\n\nFigure 23: The code injection invocation.\r\nThe MD5 hash of the injected payload is: 7679fec5f6bf7206635b96efa52d1d07.\r\nBelow are relevant strings from the binary which indicate it is NanoCore.\r\n00000000FEF5   000000411CF5      0   NanoCore Client\r\n00000000FF05   000000411D05      0   NanoCore Client.exe\r\nAnd the configuration used by this instance of the NanoCore RAT is shown in Figure 24.\r\nFigure 24: The NanoCore RAT configuration file.\r\nThe C\u0026C server is listening on port 54932 at the IP address 216.170.114.4.\r\nCloud Sandbox detection\r\nFigure 25 shows the Zscaler Cloud Sandbox successfully detecting this PowerPoint-based threat.\r\nFigure 25: Zscaler Cloud Sandbox detection.\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 15 of 17\n\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at\r\nvarious levels.\r\nWin32.PWS.Azorult\r\nWin32.Backdoor.Nanocore\r\nWin32.Backdoor.RevengeRAT\r\nConclusion\r\nThis threat actor combines multiple stages in the infection chain to make detection difficult over the network. The\r\ntactics, techniques and procedures (TTPs) used by this threat actor are also evolving with time.\r\nAs an extra precaution, users should not enable macros for Microsoft Office files that are received from untrusted\r\nsources since these macros have the capability to run malicious code on your machine.\r\nThe Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our\r\ncustomers safe.\r\nIndicators of compromise\r\nPowerPoint files, old variant\r\nf934dc6b441789365d5aa641bbf8ef3f\r\n0b0b570451b699d96c70ebf400628caa\r\nb825645e1132c77550d14503974c9ea2\r\n89e3d26cdc862e47d6c7d665135e28d6\r\ndc01e01fea24cf2f2a208d62e219889b\r\n16ac16400e2f1f125664b62c16be9c88\r\n4cfea775333d107ec43d621aa4c9968b\r\n4d299bee18901eb48929f3b493f65699\r\ncd425ac433c6fa5b79eecbdd385740ab\r\nPowerPoint files, new variant\r\nbbe077e2cd3c321427a16557d26a3438\r\ncc53f0a1a256678ba7d79aa475128d9c\r\n7db36d502e4a1d35873c8a0c51bafbbf\r\n13ae5088ae7e5ac1335a573d52befabc\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 16 of 17\n\n7083ee8cabbf500a3b286b8027f8f9fe\r\n2d3b0a3369e7a33b5c3e3115d7fa5a58\r\n9f8db1103850e43681ea79cec06e13c7\r\n56b4f3bc5b500d4120b55ff3dcaf1cc9\r\n5d926bae6c76e8b86192c205c49cd195\r\nf35b21cf37fbdae346858b490a0f230a\r\nNetwork IOCs\r\n23.247.102[.]10/manabotnet/index.php\r\n23.81.246[.]150/manabotnet-stryka/index.php\r\nwon2020.duckdns[.]org:3090\r\n216.170.114[.]4: 54392\r\nPastebin users\r\nhttps://pastebin[.]com/u/lunlayloo\r\nhttps://pastebin[.]com/u/redcobalt\r\nhttps://pastebin[.]com/u/gogga7\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nhttps://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat"
	],
	"report_names": [
		"multistage-freedom-loader-used-spread-azorult-and-nanocore-rat"
	],
	"threat_actors": [
		{
			"id": "b0d34dd6-ee90-483b-bb6c-441332274160",
			"created_at": "2022-10-25T16:07:23.296754Z",
			"updated_at": "2026-04-10T02:00:04.526403Z",
			"deleted_at": null,
			"main_name": "Aggah",
			"aliases": [
				"Operation Red Deer",
				"Operation Roma225"
			],
			"source_name": "ETDA:Aggah",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Aggah",
				"Atros2.CKPN",
				"Bladabindi",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Negasteal",
				"Origin Logger",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Warzone",
				"Warzone RAT",
				"ZPAQ",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2",
			"created_at": "2023-06-20T02:02:10.254614Z",
			"updated_at": "2026-04-10T02:00:03.365336Z",
			"deleted_at": null,
			"main_name": "Hagga",
			"aliases": [
				"TH-157",
				"Aggah"
			],
			"source_name": "MISPGALAXY:Hagga",
			"tools": [
				"Agent Tesla"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434271,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dca4c6da8ca351fd25f9ce42c5272ef5e46a13d.pdf",
		"text": "https://archive.orkl.eu/7dca4c6da8ca351fd25f9ce42c5272ef5e46a13d.txt",
		"img": "https://archive.orkl.eu/7dca4c6da8ca351fd25f9ce42c5272ef5e46a13d.jpg"
	}
}