{
	"id": "ec697979-a254-43ae-a650-94548a04f394",
	"created_at": "2026-04-06T00:14:23.642784Z",
	"updated_at": "2026-04-10T03:20:27.446482Z",
	"deleted_at": null,
	"sha1_hash": "c00c16fcb5283e4789ef6e34fe764471505d2d42",
	"title": "IBM X-Force Threat Analysis: QuirkyLoader - A new malware loader delivering infostealers and RATs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 502168,
	"plain_text": "IBM X-Force Threat Analysis: QuirkyLoader - A new malware\r\nloader delivering infostealers and RATs\r\nBy Raymond Joseph Alfonso\r\nPublished: 2025-08-19 · Archived: 2026-04-05 16:43:49 UTC\r\nSince November 2024, IBM X-Force has observed a new loader, QuirkyLoader, being used to deliver additional\r\npayloads to infected systems. Some of the well-known malware families that use QuirkyLoader include:\r\nAgent Tesla                  \r\nAsyncRAT\r\nFormBook\r\nMassLogger\r\nRemcos \r\nRhadamanthys\r\nSnake Keylogger\r\nThe multi-stage infection begins with an email. The threat actor uses both legitimate email service providers and a\r\nself-hosted email server to send emails with a malicious archive attached. This archive contains three key\r\ncomponents: a legitimate executable, an encrypted payload and a malicious DLL. The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL. This DLL, in turn,\r\nloads, decrypts and injects the final payload into its target process.\r\nNotably, X-Force observed that the threat actor consistently writes the DLL loader module in .NET languages and\r\nuses ahead-of-time (AOT) compilation. This process compiles the code into native machine code before\r\nexecution, making the resulting binary appear as though it were written in C or C++.\r\nThreat type\r\nLoader\r\nAnalysis\r\nInfection chain\r\nThe QuirkyLoader infection chain begins when a user opens a malicious archive file attached to a spam email.\r\nThis archive contains a legitimate executable, an encrypted payload disguised as a DLL and a DLL loader module.\r\nIn some instances, the archive includes other legitimate DLLs to hide the malicious module.\r\nExecuting the legitimate .EXE file starts the infection's subsequent stages. The executable uses DLL side-loading\r\nto load the malicious DLL. This DLL then loads, decrypts and injects the final payload into a target process. It\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 1 of 10\n\naccomplishes this by performing process hollowing on one of the following processes: AddInProcess32.exe,\r\nInstallUtil.exe or aspnet_wp.exe.\r\nFigure 1: Sample email\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 2 of 10\n\nFigure 2: Infection chain\r\nDLL loader module\r\nQuirkyLoader's DLL module is consistently written in C# .NET. It is compiled using Ahead-of-Time (AOT)\r\ncompilation, which compiles the C# code into Microsoft Intermediate Language (MSIL) first, and then compiles\r\nthe MSIL into native machine code. This technique bypasses the traditional .NET method of first compiling code\r\ninto Microsoft Intermediate Language (MSIL) and then using the Common Language Runtime (CLR) to translate\r\nit into native code. As a result, the final binary resembles a program written in C or C++.\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 3 of 10\n\nFigure 3: Compiler and language identification for a .NET AOT binary\r\nTo load the encrypted payload, the malware calls the Win32 APIs CreateFileW() and ReadFile(). It then decrypts\r\nthe buffer containing the payload, typically using a block cipher.\r\nInterestingly, one variant uses the Speck-128 cipher with Counter (CTR) mode to decrypt the payload, a method\r\nnot commonly used by malware. The Speck cipher works by expanding the master key into several round keys. It\r\nuses these round keys along with a nonce to generate a keystream by performing Add-Rotate-XOR (ARX)\r\noperations. Finally, the malware XORs the generated keystream against the encrypted data in 16-byte blocks to\r\nproduce the decrypted payload.\r\n__int64 __fastcall SPECK_128_KeyStream(__int64 *Nonce_Lower_Half, __int64 *Nonce_Upper_Half, __int64\r\nRound_Keys) {   __int64 result; // rax   __int64 v4; // r10   LODWORD(result) = 0;   if ( Round_Keys \u0026\u0026 *\r\n(Round_Keys + 8) \u003e= 32 )   {     do     {       *Nonce_Lower_Half = *(Round_Keys + 8LL * result + 16) ^\r\n(*Nonce_Upper_Half + __ROL8__(*Nonce_Lower_Half, 56));       *Nonce_Upper_Half = *Nonce_Lower_Half\r\n^ __ROL8__(*Nonce_Upper_Half, 3);       result = (result + 1);     }     while ( result \u003c 32 );   }   else   {     do     {  \r\n    v4 = *Nonce_Upper_Half + __ROL8__(*Nonce_Lower_Half, 56);       if ( result \u003e= *(Round_Keys + 8) )        \r\nERR_Mb_15();       *Nonce_Lower_Half = *(Round_Keys + 8LL * result + 16) ^ v4;       *Nonce_Upper_Half =\r\n*Nonce_Lower_Half ^ __ROL8__(*Nonce_Upper_Half, 3);       result = (result + 1);     }     while ( result \u003c 32 );  \r\n}   return result; }\r\nCode block 1 Key Stream Generation of Speck Cipher\r\nTo evade detection by security software, the malware dynamically resolves the Win32 APIs required for process\r\nhollowing.\r\nFirst, the malware uses CreateProcessW() to launch a process in a suspended state. It then unmaps the memory of\r\nthe suspended process with ZwUnmapViewOfSection() and writes its malicious payload into that memory space\r\nusing ZwWriteVirtualMemory(). After performing these initializations, the malware sets the payload's starting\r\npoint with SetThreadContext() and calls ResumeThread() to execute it.\r\nGetProcAddress ( 0x00007ff899380000, \"CreateProcessW\" ) GetProcAddress ( 0x00007ff899380000,\r\n\"OpenProcess\" ) GetProcAddress ( 0x00007ff899380000, \"TerminateProcess\" ) GetProcAddress (\r\n0x00007ff899380000, \"CloseHandle\" ) GetProcAddress ( 0x00007ff899380000, \"GetThreadContext\" )\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 4 of 10\n\nGetProcAddress ( 0x00007ff899380000, \"Wow64GetThreadContext\" ) GetProcAddress ( 0x00007ff899380000,\r\n\"SetThreadContext\" ) GetProcAddress ( 0x00007ff899380000, \"Wow64SetThreadContext\" ) GetProcAddress (\r\n0x00007ff899380000, \"ResumeThread\" ) GetProcAddress ( 0x00007ff899380000, \"VirtualAllocEx\" )\r\nGetProcAddress ( 0x00007ff89a6d0000, \"ZwUnmapViewOfSection\" ) GetProcAddress ( 0x00007ff89a6d0000,\r\n\"ZwWriteVirtualMemory\" ) GetProcAddress ( 0x00007ff899790000, \"memset\" ) GetProcAddress (\r\n0x00007ff899380000, \"VirtualProtectEx\" ) GetProcAddress ( 0x00007ff899380000, \"FlushInstructionCache\" )\r\nGetProcAddress ( 0x00007ff899380000, \"ReadProcessMemory\" )\r\nVictimology\r\nWhile information regarding the geographical distribution of QuirkyLoader's operations has been limited for the\r\npast few months, two distinct campaigns were discovered in July 2025 targeting Taiwan and Mexico. The\r\ncampaign in Taiwan specifically targeted employees of Nusoft Taiwan, a network and internet security research\r\ncompany, and distributed the Snake Keylogger infostealer. In Mexico, the campaign randomly targeted\r\nindividuals, delivering both the Remcos RAT and AsyncRAT.\r\nRelated network infrastructure\r\nIBM X-Force uncovered additional network IOCs related to the domain used to distribute the malspam emails.\r\nThe investigation started with the domain catherinereynolds[.]info, which resolves to the IP address\r\n157[.]66[.]225[.]11 and hosts a Zimbra web client. Upon closer inspection, it was found that the domain uses an\r\nSSL certificate with the common name mail[.]catherinereynolds[.]info. Pivoting from this certificate, the IPs\r\n103[.]75[.]77[.]90 and 161[.]248[.]178[.]212 were discovered to be using the same SSL certificate. X-Force is\r\nhighly confident that these additional IPs are related because they use similar ISPs, host similar services and share\r\nthe same common name in their SSL certificates.\r\nFigure 4: SSL Certificate of catherinereynolds[.]info\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 5 of 10\n\nConclusion\r\nQuirkyLoader is a new loader malware that is actively distributing well-known malware families like Agent Tesla,\r\nAsyncRAT and Remcos. The threat actor initiates a multi-stage infection using malicious emails containing an\r\narchive file. By leveraging DLL side-loading, the malware executes its core DLL module, which is consistently\r\nwritten in .NET and compiled ahead-of-time to disguise its nature. This module then decrypts and injects the final\r\npayload, demonstrating a sophisticated method for delivering various malware threats.\r\nRecommendations\r\nBlock messages with executable attachments\r\nAvoid opening unexpected emails\r\nAvoid opening files that come from untrusted sources\r\nKeep security products up-to-date and properly configured\r\nSince the final payloads are typically infostealers and remote access tools, actively monitor and inspect\r\noutbound network traffic\r\nClosely monitor the behavior of the following legitimate processes, as they are common targets for process\r\nhollowing by QuirkyLoader:\r\n \r\nAddInProcess32.exe\r\nInstallUtil.exe\r\naspnet_wp.exe\r\nIndicators of compromise\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 6 of 10\n\nIndicator Indicator Type Context\r\n011257eb766f2539828bdd45\r\nf8aa4ce3c4048ac2699d9883\r\n29783290a7b4a0d3\r\nFile QuirkyLoader DLL Module\r\n0ea3a55141405ee0e2dfbf33\r\n3de01fe93c12cf34555550e4f\r\n7bb3fdec2a7673b\r\nFile QuirkyLoader DLL Module\r\na64a99b8451038f2bbcd32\r\n2fd729edf5e6ae0eb70a244\r\ne342b2f8eff12219d03\r\nFile QuirkyLoader DLL Module\r\n9726e5c7f9800b36b671b06\r\n4e89784fb10465210198fbbb\r\n75816224e85bd1306\r\nFile QuirkyLoader DLL Module\r\na1994ba84e255eb02a6140c\r\nab9fc4dd9a6371a84b1dd631\r\nbd649525ac247c111\r\nFile QuirkyLoader DLL Module\r\nd954b235bde6ad02451cab\r\n6ee1138790eea569cf8fd0b\r\n95de9dc505957c533cd\r\nFile Sample email of QuirkyLoader\r\n5d5b3e3b78aa25664fb2bfdb\r\nf061fc1190310f5046d969adab\r\n3e7565978b96ff\r\nFile Sample email of QuirkyLoader\r\n6f53c1780b92f3d5affcf095ae\r\n0ad803974de6687a4938a2e\r\n1c9133bf1081eb6\r\nFile Sample email of QuirkyLoader\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 7 of 10\n\nea65cf2d5634a81f37d3241a7\r\n7f9cd319e45c1b13ffbaf5f8a63\r\n7b34141292eb\r\nFile Sample email of QuirkyLoader\r\n1b8c6d3268a5706fb41ddfff99\r\nc8579ef029333057b911bb490\r\n5e24aacc05460\r\nFile Sample email of QuirkyLoader\r\nd0a3a1ee914bcbfcf709d36741\r\n7f8c85bd0a22d8ede0829a66\r\ne5be34e5e53bb9\r\nFile Sample email of QuirkyLoader\r\nb22d878395ac2f2d927b78b16\r\nc9f5e9b98e006d6357c98dbe\r\n04b3fd78633ddde\r\nFile Sample email of QuirkyLoader\r\na83aa955608e9463f272adca\r\n205c9e1a7cbe9d1ced1e10c9d\r\n517b4d1177366f6\r\nFile Sample email of QuirkyLoader\r\n3391b0f865f4c13dcd9f08c6d3e\r\n3be844e89fa3afbcd95b5d1a1c\r\n5abcacf41f4\r\nFile Sample email of QuirkyLoader\r\nb2fdf10bd28c781ca354475be6\r\ndb40b8834f33d395f7b5850be\r\n43ccace722c13\r\nFile Sample email of QuirkyLoader\r\nbf3093f7453e4d0290511ea6a0\r\n36cd3a66f456cd4a85b7ec8fbf\r\nea6b9c548504\r\nFile Email attachment containing QuirkyLoader\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 8 of 10\n\n97aee6ca1bc79064d21e1eb7b8\r\n6e497adb7ece6376f355e47b2\r\nac60f366e843d\r\nFile Email attachment containing QuirkyLoader\r\nb42bc8b2aeec39f25babdcbbd\r\naab806c339e4397debfde2ff1b\r\n69dca5081eb44\r\nFile Email attachment containing QuirkyLoader\r\n5aaf02e4348dc6e962ec54d5d\r\n31095f055bd7fb1e5831768200\r\n3552fd6fe25dc\r\nFile Email attachment containing QuirkyLoader\r\n8e0770383c03ce6921079879\r\n9d543b10de088bac147dce47\r\n03f13f79620b68b1\r\nFile Email attachment containing QuirkyLoader\r\n049ef50ec0fac1b99857a6d2b\r\neb8134be67ae67ae134f9a3c5\r\n3699cdaa7c89ac\r\nFile Email attachment containing QuirkyLoader\r\ncba8bb455d577314959602eb\r\n15edcaa34d0b164e2ef9d89b0\r\n8733ed64381c6e0\r\nFile Email attachment containing QuirkyLoader\r\ncatherinereynolds[.]info Domain Domain used for malspam campaign\r\nmail[.]catherinereynolds[.]info Domain Domain used for malspam campaign\r\n157[.]66[.]22[.]11 IPv4 IP address that catherinereynolds[.]info resolves to\r\n103[.]75[.]77[.]90 IPv4 IP address related to QuirkyLoader\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 9 of 10\n\n161[.]248[.]178[.]212 IPv4 IP address related to QuirkyLoader\r\nIBM X-Force Premier Threat Intelligence is now integrated with OpenCTI, delivering actionable threat\r\nintelligence about this threat activity and more. Access insights on threat actors, malware and industry risks.\r\nInstall the OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM\r\nX-Force’s expertise. Stay ahead—integrate today.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think newsletter. See the IBM Privacy Statement.\r\nThank you! You are subscribed.\r\nSource: https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nhttps://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader"
	],
	"report_names": [
		"ibm-x-force-threat-analysis-quirkyloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434463,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c00c16fcb5283e4789ef6e34fe764471505d2d42.pdf",
		"text": "https://archive.orkl.eu/c00c16fcb5283e4789ef6e34fe764471505d2d42.txt",
		"img": "https://archive.orkl.eu/c00c16fcb5283e4789ef6e34fe764471505d2d42.jpg"
	}
}