{
	"id": "24bdb19c-7d58-4bd2-8100-f653caa3f925",
	"created_at": "2026-04-06T00:13:57.942385Z",
	"updated_at": "2026-04-10T13:11:27.047594Z",
	"deleted_at": null,
	"sha1_hash": "c62a661c88a0684c962d1afe40ac1106828ecfe9",
	"title": "Identifying PrivateLoader Network Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7389768,
	"plain_text": "Identifying PrivateLoader Network Threats\r\nBy Sam Lister\r\nPublished: 2022-07-26 · Archived: 2026-04-05 20:00:09 UTC\r\nInstead of delivering their malicious payloads themselves, threat actors can pay certain cybercriminals\r\n(known as pay-per-install (PPI) providers) to deliver their payloads for them. Since January 2022,\r\nDarktrace’s SOC has observed several cases of PPI providers delivering their clients’ payloads using a\r\nmodular malware downloader known as ‘PrivateLoader’.\r\nThis blog will explore how these PPI providers installed PrivateLoader onto systems and outline the steps which\r\nthe infected PrivateLoader bots took to install further malicious payloads. The details provided here are intended\r\nto provide insight into the operations of PrivateLoader and to assist security teams in identifying PrivateLoader\r\nbots within their own networks.  \r\nThreat Summary \r\nBetween January and June 2022, Darktrace identified the following sequence of network behaviours within the\r\nenvironments of several Darktrace clients. Patterns of activity involving these steps are paradigmatic examples of\r\nPrivateLoader activity:\r\n1. A victim’s device is redirected to a page which instructs them to download a password-protected archive file\r\nfrom a file storage service — typically Discord Content Delivery Network (CDN)\r\n2. The device contacts a file storage service (typically Discord CDN) via SSL connections\r\n3. The device either contacts Pastebin via SSL connections, makes an HTTP GET request with the URI string\r\n‘/server.txt’ or ‘server_p.txt’ to 45.144.225[.]57, or makes an HTTP GET request with the URI string ‘/proxies.txt’\r\nto 212.193.30[.]45\r\n4. The device makes an HTTP GET request with the URI string ‘/base/api/statistics.php’ to either 212.193.30[.]21,\r\n85.202.169[.]116, 2.56.56[.]126 or 2.56.59[.]42\r\n5. The device contacts a file storage service (typically Discord CDN) via SSL connections\r\n6. The device makes a HTTP POST request with the URI string ‘/base/api/getData.php’ to either 212.193.30[.]21,\r\n85.202.169[.]116, 2.56.56[.]126 or 2.56.59[.]42\r\n7. The device finally downloads malicious payloads from a variety of endpoints\r\nThe PPI Business \r\nBefore exploring PrivateLoader in more detail, the pay-per-install (PPI) business should be contextualized. This\r\nconsists of two parties:  \r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 1 of 24\n\n1. PPI clients - actors who want their malicious payloads to be installed onto a large number of target systems. PPI\r\nclients are typically entry-level threat actors who seek to widely distribute commodity malware [1]\r\n2. PPI providers - actors who PPI clients can pay to install their malicious payloads \r\nAs the smugglers of the cybercriminal world, PPI providers typically advertise their malware delivery services on\r\nunderground web forums. In some cases, PPI services can even be accessed via Clearnet websites such as\r\nInstallBest and InstallShop [2] (Figure 1).  \r\nFigure 1: A snapshot of the InstallBest PPI login page [2]\r\nTo utilize a PPI provider’s service, a PPI client must typically specify: \r\n(A)  the URLs of the payloads which they want to be installed\r\n(B)  the number of systems onto which they want their payloads to be installed\r\n(C)  their geographical targeting preferences. \r\nPayment of course, is also required. To fulfil their clients’ requests, PPI providers typically make use of\r\ndownloaders - malware which instructs the devices on which it is running to download and execute further\r\npayloads. PPI providers seek to install their downloaders onto as many systems as possible. Follow-on payloads\r\nare usually determined by system information garnered and relayed back to the PPI providers’ command and\r\ncontrol (C2) infrastructure. PPI providers may disseminate their downloaders themselves, or they may outsource\r\nthe dissemination to third parties called ‘affiliates’ [3].  \r\nBack in May 2021, Intel 471 researchers became aware of PPI providers using a novel downloader (dubbed\r\n‘PrivateLoader’) to conduct their operations. Since Intel 471’s public disclosure of the downloader back in Feb\r\n2022 [4], several other threat research teams, such as the Walmart Cyber Intel Team [5], Zscaler ThreatLabz [6],\r\nand Trend Micro Research [7] have all provided valuable insights into the downloader’s behaviour. \r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 2 of 24\n\nAnatomy of a PrivateLoader Infection\r\nThe PrivateLoader downloader, which is written in C++, was originally monolithic (i.e, consisted of only one\r\nmodule). At some point, however, the downloader became modular (i.e, consisting of multiple modules). The\r\nmodules communicate via HTTP and employ various anti-analysis methods. PrivateLoader currently consists of\r\nthe following three modules [8]: \r\nThe loader module: Instructs the system on which it is running to retrieve the IP address of the main C2\r\nserver and to download and execute the PrivateLoader core module\r\nThe core module: Instructs the system on which it is running to send system information to the main C2\r\nserver, to download and execute further malicious payloads, and to relay information regarding installed\r\npayloads back to the main C2 server\r\nThe service module: Instructs the system on which it is running to keep the PrivateLoader modules running\r\nKill Chain Deep-Dive \r\nThe chain of activity starts with the user’s browser being redirected to a webpage which instructs them to\r\ndownload a password-protected archive file from a file storage service such as Discord CDN. Discord is a popular\r\nVoIP and instant messaging service, and Discord CDN is the service’s CDN infrastructure. In several cases, the\r\nwebpages to which users’ browsers were redirected were hosted on ‘hero-files[.]com’ (Figure 2), ‘qd-files[.]com’,\r\nand ‘pu-file[.]com’ (Figure 3). \r\nFigure 2: An image of a page hosted on hero-files[.]com - an endpoint which Darktrace observed\r\nsystems contacting before downloading PrivateLoader from Discord CDN\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 3 of 24\n\nFigure 3: An image of a page hosted on pu-file[.]com- an endpoint which Darktrace observed\r\nsystems contacting before downloading PrivateLoader from Discord CDN\r\nOn attempting to download cracked/pirated software, users’ browsers were typically redirected to download\r\ninstruction pages. In one case however, a user’s device showed signs of being infected with the malicious Chrome\r\nextension, ChromeBack [9], immediately before it contacted a webpage providing download instructions (Figure\r\n4). This may suggest that cracked software downloads are not the only cause of users’ browsers being redirected to\r\nthese download instruction pages (Figure 5). \r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 4 of 24\n\nFigure 4: The event log for this device (taken from the Darktrace Threat Visualiser interface) shows\r\nthat the device contacted endpoints associated with ChromeBack ('freychang[.]fun') prior to visiting\r\na page ('qd-file[.]com') which instructed the device’s user to download an archive file from Discord\r\nCDN\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 5 of 24\n\nFigure 5: An image of the website 'crackright[.]com'- a provider of cracked software. Systems\r\nwhich attempted to download software from this website were subsequently led to pages providing\r\ninstructions to download a password-protected archive from Discord CDN\r\nAfter users’ devices were redirected to pages instructing them to download a password-protected archive, they\r\nsubsequently contacted cdn.discordapp[.]com over SSL. The archive files which users downloaded over these SSL\r\nconnections likely contained the PrivateLoader loader module. Immediately after contacting the file storage\r\nendpoint, users’ devices were observed either contacting Pastebin over SSL, making an HTTP GET request with\r\nthe URI string ‘/server.txt’ or ‘server_p.txt’ to 45.144.225[.]57, or making an HTTP GET request with the URI\r\nstring ‘/proxies.txt’ to 212.193.30[.]45 (Figure 6).\r\nDistinctive user-agent strings such as those containing question marks (e.g. ‘????ll’) and strings referencing\r\noutdated Chrome browser versions were consistently seen in these HTTP requests. The following chrome agent\r\nwas repeatedly observed: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/74.0.3729.169 Safari/537.36’.\r\nIn some cases, devices also displayed signs of infection with other strains of malware such as the RedLine\r\ninfostealer and the BeamWinHTTP malware downloader. This may suggest that the password-protected archives\r\nembedded several payloads.\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 6 of 24\n\nFigure 6: This figure, obtained from Darktrace's Advanced Search interface, represents the post-infection behaviour displayed by a PrivateLoader bot. After visiting hero-files[.]com and\r\ndownloading the PrivateLoader loader module from Discord CDN, the device can be seen making\r\nHTTP GET requests for ‘/proxies.txt’ and ‘/server.txt’ and contacting pastebin[.]com\r\nIt seems that PrivateLoader bots contact Pastebin, 45.144.225[.]57, and 212.193.30[.]45 in order to retrieve the IP\r\naddress of PrivateLoader’s main C2 server - the server which provides PrivateLoader bots with payload URLs.\r\nThis technique used by the operators of PrivateLoader closely mirrors the well-known espionage tactic known as\r\n‘dead drop’.\r\nThe dead drop is a method of espionage tradecraft in which an individual leaves a physical object such as papers,\r\ncash, or weapons in an agreed hiding spot so that the intended recipient can retrieve the object later on without\r\nhaving to come in to contact with the source. When threat actors host information about core C2 infrastructure on\r\nintermediary endpoints, the hosted information is analogously called a ‘Dead Drop Resolver’ or ‘DDR’. Example\r\nURLs of DDRs used by PrivateLoader:\r\nhttps://pastebin[.]com/...\r\nhttp://212.193.30[.]45/proxies.txt\r\nhttp://45.144.225[.]57/server.txt\r\nhttp://45.144.255[.]57/server_p.txt\r\nThe ‘proxies.txt’ DDR hosted on 212.193.40[.]45 contains a list of 132 IP address / port pairs. The 119th line of\r\nthis list includes a scrambled version of the IP address of PrivateLoader’s main C2 server (Figures 7 \u0026 8). Prior to\r\nJune, it seems that the main C2 IP address was ‘212.193.30[.]21’, however, the IP address appears to have recently\r\nchanged to ‘85.202.169[.]116’. In a limited set of cases, Darktrace also observed PrivateLoader bots retrieving\r\npayload URLs from 2.56.56[.]126 and 2.56.59[.]42 (rather than from 212.193.30[.]21 or 85.202.169[.]116). These\r\nIP addresses may be hardcoded secondary C2 address which PrivateLoader bots use in cases where they are\r\nunable to retrieve the primary C2 address from Pastebin, 212.193.30[.]45 or 45.144.255[.]57 [10]. \r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 7 of 24\n\nFigure 7: Before June, the 119th entry of the ‘proxies.txt’ file lists '30.212.21.193' -  a scrambling of\r\nthe ‘212.193.30[.]21’ main C2 IP address\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 8 of 24\n\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 9 of 24\n\nFigure 8: Since June, the 119th entry of the ‘proxies.txt’ file lists '169.85.116.202' - a scrambling of\r\nthe '85.202.169[.]116' main C2 IP address\r\nOnce PrivateLoader bots had retrieved C2 information from either Pastebin, 45.144.225[.]57, or 212.193.30[.]45,\r\nthey went on to make HTTP GET requests for ‘/base/api/statistics.php’ to either 212.193.30[.]21,\r\n85.202.169[.]116, 2.56.56[.]126, or 2.56.59[.]42 (Figure 9). The server responded to these requests with an XOR\r\nencrypted string. The strings were encrypted using a 1-byte key [11], such as 0001101 (Figure 10). Decrypting the\r\nstring revealed a URL for a BMP file hosted on Discord CDN, such as\r\n‘hxxps://cdn.discordapp[.]com/attachments/978284851323088960/986671030670078012/PL_Client.bmp’. These\r\nencrypted URLs appear to be file download paths for the PrivateLoader core module. \r\nFigure 9: HTTP response from server to an HTTP GET request for '/base/api/statistics.php'\r\nFigure 10: XOR decrypting the string with the one-byte key, 00011101, outputs a URL in\r\nCyberChef\r\nAfter PrivateLoader bots retrieved the 'cdn.discordapp[.]com’ URL from 212.193.30[.]21, 85.202.169[.]116,\r\n2.56.56[.]126, or 2.56.59[.]42, they immediately contacted Discord CDN via SSL connections in order to obtain\r\nthe PrivateLoader core module. Execution of this module resulted in the bots making HTTP POST requests (with\r\nthe URI string ‘/base/api/getData.php’) to the main C2 address (Figures 11 \u0026 12). Both the data which the\r\nPrivateLoader bots sent over these HTTP POST requests and the data returned via the C2 server’s HTTP\r\nresponses were heavily encrypted using a combination of password-based key derivation, base64 encoding, AES\r\nencryption, and HMAC validation [12]. \r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 10 of 24\n\nFigure 11: The above image, taken from Darktrace's Advanced Search interface, shows a\r\nPrivateLoader bot carrying out the following steps: contact ‘hero-files[.]com’ --\u003e contact\r\n‘cdn.discordapp[.]com’ --\u003e retrieve ‘/proxies.txt’ from 212.193.30[.]45 --\u003e retrieve\r\n‘/base/api/statistics.php’ from 212.193.30[.]21 --\u003e contact ‘cdn.discordapp[.]com --\u003e make HTTP\r\nPOST request with the URI ‘base/api/getData.php’ to 212.193.30[.]21\r\nFigure 12: A PCAP of the data sent via the HTTP POST (in red), and the data returned by the C2\r\nendpoint (in blue)\r\nThese ‘/base/api/getData.php’ POST requests contain a command, a campaign name and a JSON object. The\r\nresponse may either contain a simple status message (such as “success”) or a JSON object containing URLs of\r\npayloads. After making these HTTP connections, PrivateLoader bots were observed downloading and executing\r\nlarge volumes of payloads (Figure 13), ranging from crypto-miners to infostealers (such as Mars stealer), and even\r\nto other malware downloaders (such as SmokeLoader). In some cases, bots were also seen downloading files with\r\n‘.bmp’ extensions, such as ‘Service.bmp’, ‘Cube_WW14.bmp’, and ‘NiceProcessX64.bmp’, from 45.144.225[.]57\r\n- the same DDR endpoint from which PrivateLoader bots retrieved main C2 information. These ‘.bmp’ payloads\r\nare likely related to the PrivateLoader service module [13]. Certain bots made follow-up HTTP POST requests\r\n(with the URI string ‘/service/communication.php’) to either 212.193.30[.]21 or 85.202.169[.]116, indicating the\r\npresence of the PrivateLoader service module, which has the purpose of establishing persistence on the device\r\n(Figure 14). \r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 11 of 24\n\nFigure 13: The above image, taken from Darktrace's Advanced Search interface, outlines the\r\nplethora of malware payloads downloaded by a PrivateLoader bot after it made an HTTP POST\r\nrequest to the ‘/base/api/getData.php’ endpoint. The PrivateLoader service module is highlighted in\r\nred\r\nFigure 14: The event log for a PrivateLoader bot, obtained from the Threat Visualiser interface,\r\nshows a device making HTTP POST requests to ‘/service/communication.php’ and connecting to\r\nthe NanoPool mining pool, indicating successful execution of downloaded payloads\r\nIn several observed cases, PrivateLoader bots downloaded another malware downloader called ‘SmokeLoader’\r\n(payloads named ‘toolspab2.exe’ and ‘toolspab3.exe’) from “Privacy Tools” endpoints [14], such as ‘privacy-tools-for-you-802[.]com’ and ‘privacy-tools-for-you-783[.]com’. These “Privacy Tools” domains are likely\r\nimpersonation attempts of the legitimate ‘privacytools[.]io’ website - a website run by volunteers who advocate\r\nfor data privacy [15]. \r\nAfter downloading and executing malicious payloads, PrivateLoader bots were typically seen contacting crypto-mining pools, such as NanoPool, and making HTTP POST requests to external hosts associated with\r\nSmokeLoader, such as hosts named ‘host-data-coin-11[.]com’ and ‘file-coin-host-12[.]com’ [16]. In one case, a\r\nPrivateLoader bot went on to exfiltrate data over HTTP to an external host named ‘cheapf[.]link’, which was\r\nregistered on the 14th March 2022 [17]. The name of the file which the PrivateLoader bot used to exfiltrate data\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 12 of 24\n\nwas ‘NOP8QIMGV3W47Y.zip’, indicating information stealing activities by Mars Stealer (Figure 15) [18]. By\r\nsaving the HTTP stream as raw data and utilizing a hex editor to remove the HTTP header portions, the hex data\r\nof the ZIP file was obtained. Saving the hex data using a ‘.zip’ extension and extracting the contents, a file\r\ndirectory consisting of system information and Chrome and Edge browsers’ Autofill data in cleartext .txt file\r\nformat could be seen (Figure 16).\r\nFigure 15: A PCAP of a PrivateLoader bot’s HTTP POST request to cheapf[.]link, with data sent by\r\nthe bot appearing to include Chrome and Edge autofill data, as well as system information\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 13 of 24\n\nFigure 16: File directory structure and files of the ZIP archive \r\nWhen left unattended, PrivateLoader bots continued to contact C2 infrastructure in order to relay details of\r\nexecuted payloads and to retrieve URLs of further payloads. \r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 14 of 24\n\nFigure 17: Timeline of the attack\r\nDarktrace Coverage \r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 15 of 24\n\nMost of the incidents surveyed for this article belonged to prospective customers who were trialling Darktrace\r\nwith RESPOND in passive mode, and thus without the ability for autonomous intervention. However in all\r\nobserved cases, Darktrace DETECT was able to provide visibility into the actions taken by PrivateLoader bots. In\r\none case, despite the infected bot being disconnected from the client’s network, Darktrace was still able to provide\r\nvisibility into the device’s network behaviour due to the client’s usage of Darktrace/Endpoint. \r\nIf a system within an organization’s network becomes infected with PrivateLoader, it will display a range of\r\nanomalous network behaviours before it downloads and executes malicious payloads. For example, it will contact\r\nPastebin or make HTTP requests with new and unusual user-agent strings to rare external endpoints. These\r\nnetwork behaviours will generate some of the following alerts on the Darktrace UI:\r\nCompliance / Pastebin \r\nDevice / New User Agent and New IP\r\nDevice / New User Agent\r\nDevice / Three or More New User Agents\r\nAnomalous Connection / New User Agent to IP Without Hostname\r\nAnomalous Connection / POST to PHP on New External Host\r\nAnomalous Connection / Posting HTTP to IP Without Hostname\r\nOnce the infected host obtains URLs for malware payloads from a C2 endpoint, it will likely start to download\r\nand execute large volumes of malicious files. These file downloads will usually cause Darktrace to generate some\r\nof the following alerts:\r\nAnomalous File / EXE from Rare External Location\r\nAnomalous File / Numeric Exe Download\r\nAnomalous File / Masqueraded File Transfer\r\nAnomalous File / Multiple EXE from Rare External Locations\r\nDevice / Initial Breach Chain Compromise\r\nIf RESPOND is deployed in active mode, Darktrace will be able to autonomously block the download of\r\nadditional malware payloads onto the target machine and the subsequent beaconing or crypto-mining activities\r\nthrough network inhibitors such as ‘Block matching connections’, ‘Enforce pattern of life’ and ‘Block all outgoing\r\ntraffic’. The ‘Enforce pattern of life’ action results in a device only being able to make connections and data\r\ntransfers which Darktrace considers normal for that device. The ‘Block all outgoing traffic’ action will cause all\r\ntraffic originating from the device to be blocked. If the customer has Darktrace’s Proactive Threat Notification\r\n(PTN) service, then a breach of an Enhanced Monitoring model such as ‘Device / Initial Breach Chain\r\nCompromise’ will result in a Darktrace SOC analyst proactively notifying the customer of the suspicious activity.\r\nBelow is a list of Darktrace RESPOND (Antigena) models which would be expected to breach due to\r\nPrivateLoader activity. Such models can seriously hamper attempts made by PrivateLoader bots to download\r\nmalicious payloads. \r\nAntigena / Network / External Threat / Antigena Suspicious File Block\r\nAntigena / Network / Significant Anomaly / Antigena Controlled and Model Breach\r\nAntigena / Network / External Threat / Antigena File then New Outbound Block\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 16 of 24\n\nAntigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block \r\nAntigena / Network / Significant Anomaly / Antigena Breaches Over Time Block\r\nIn one observed case, the infected bot began to download malicious payloads within one minute of becoming\r\ninfected with PrivateLoader. Since RESPOND was correctly configured, it was able to immediately intervene by\r\nautonomously enforcing the device’s pattern of life for 2 hours and blocking all of the device’s outgoing traffic for\r\n10 minutes (Figure 17). When malware moves at such a fast pace, the availability of autonomous response\r\ntechnology, which can respond immediately to detected threats, is key for the prevention of further damage.  \r\nFigure 18: The event log for a Darktrace RESPOND (Antigena) model breach shows Darktrace\r\nRESPOND performing inhibitive actions once the PrivateLoader bot begins to download payloads\r\nConclusion\r\nBy investigating PrivateLoader infections over the past couple of months, Darktrace has observed PrivateLoader\r\noperators making changes to the downloader’s main C2 IP address and to the user-agent strings which the\r\ndownloader uses in its C2 communications. It is relatively easy for the operators of PrivateLoader to change these\r\nsuperficial network-based features of the malware in order to evade detection [19]. However, once a system\r\nbecomes infected with PrivateLoader, it will inevitably start to display anomalous patterns of network behaviour\r\ncharacteristic of the Tactics, Techniques and Procedures (TTPs) discussed in this blog.\r\nThroughout 2022, Darktrace observed overlapping patterns of network activity within the environments of several\r\ncustomers, which reveal the archetypal steps of a PrivateLoader infection. Despite the changes made to\r\nPrivateLoader’s network-based features, Darktrace’s Self-Learning AI was able to continually identify infected\r\nbots, detecting every stage of an infection without relying on known indicators of compromise. When configured,\r\nRESPOND was able to immediately respond to such infections, preventing further advancement in the cyber kill\r\nchain and ultimately preventing the delivery of floods of payloads onto infected devices.\r\nIoCs\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 17 of 24\n\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 18 of 24\n\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 19 of 24\n\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 20 of 24\n\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 21 of 24\n\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 22 of 24\n\nMITRE ATT\u0026CK Techniques Observed\r\nReferences\r\n[1], [8],[13] https://www.youtube.com/watch?v=Ldp7eESQotM  \r\n[2] https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 23 of 24\n\n[3] https://www.researchgate.net/publication/228873118_Measuring_Pay-per\r\nInstall_The_Commoditization_of_Malware_Distribution \r\n[4], [15] https://intel471.com/blog/privateloader-malware\r\n[5] https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e \r\n[6], [10],[11], [12] https://www.zscaler.com/blogs/security-research/peeking-privateloader \r\n[7] https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html\r\n[9] https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/\r\n[14] https://www.proofpoint.com/us/blog/threat-insight/malware-masquerades-privacy-tool \r\n[16] https://asec.ahnlab.com/en/30513/ \r\n[17]https://twitter.com/0xrb/status/1515956690642161669\r\n[18] https://isc.sans.edu/forums/diary/Arkei+Variants+From+Vidar+to+Mars+Stealer/28468\r\n[19] http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\r\nSource: https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nhttps://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise"
	],
	"report_names": [
		"privateloader-network-based-indicators-of-compromise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434437,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c62a661c88a0684c962d1afe40ac1106828ecfe9.pdf",
		"text": "https://archive.orkl.eu/c62a661c88a0684c962d1afe40ac1106828ecfe9.txt",
		"img": "https://archive.orkl.eu/c62a661c88a0684c962d1afe40ac1106828ecfe9.jpg"
	}
}