{
	"id": "f95dffac-6ead-4a4b-af10-3115d64f7240",
	"created_at": "2026-04-06T00:13:38.359055Z",
	"updated_at": "2026-04-10T13:13:06.64898Z",
	"deleted_at": null,
	"sha1_hash": "d42d134eb42ee28f01aca3017ccbe9c9c8bcb112",
	"title": "Tracking PrivateLoader: Malware Distribution Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 494653,
	"plain_text": "Tracking PrivateLoader: Malware Distribution Service\r\nBy Written by André Tavares Sr. Threat Researcher\r\nArchived: 2026-04-05 12:48:22 UTC\r\nPrivateLoader is a loader from a pay-per-install malware distribution service that has been utilized to distribute\r\ninfo stealers, banking trojans, loaders, spambots, rats, miners and ransomware on Windows machines. First seen in\r\nearly 2021, being hosted on websites that claim to provide cracked software, the customers of the service are able\r\nto selectively deliver malware to victims based on location, financial activity, environment, and specific software\r\ninstalled. Bitsight's partial visibility over its botnet of infected machines suggests that it’s spread worldwide, with\r\na significant percentage of infections in India and Brazil.\r\nPrivateLoader was seen being distributed through SEO-optimized websites that claim to provide cracked software.\r\nVictims download a password-protected zip file (the password is in the file name) which contains an NSIS\r\ninstaller that executes many malicious payloads, including PrivateLoader. It’s a multi-stage malware loader\r\ncomprising at least three modules: the loader, the core, and the service. \r\nIn the first stage, the loader is executed, which downloads and executes the second stage, the core module. The\r\ncore module's primary purpose is to download and execute more malware, including another PrivateLoader\r\nmodule named service. The service module takes care of persistence by creating a scheduled task and, not only\r\nself-updates but also downloads and executes the loader module. Figure 1 depicts the typical infection chain.\r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nPage 1 of 7\n\nFig. 1 - PrivateLoader infection chain.\r\nThe main purpose of PrivateLoader is to download and execute more malware. Moreover, both static and dynamic\r\nanalysis (Fig. 3 and 2) suggest that the malware has additional capabilities, such as disabling Windows Defender,\r\nthe discovery of user-sensitive data, and many anti-analysis techniques. \r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nPage 2 of 7\n\nFig. 2 - Automated dynamic analysis of the loader module.\r\nFig. 3 - Rule-based static analysis of the core module with CAPA.\r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nPage 3 of 7\n\nPrevious research on PrivateLoader shared a YARA rule to detect and hunt its samples based on its string\r\ndecryption technique and also a python script to extract all of its strings, which contains valuable information\r\nwhen reversing the malware. Those strings can also be used for defense, hunting, and tracking purposes since the\r\ncommand and control servers (C2) and other configuration values are included in them. As an example, here are\r\nall of the strings from a loader module, a core module, and a service module.\r\nCombining the mentioned sample hunting technique with previous research on how the bots communicate with\r\ntheir C2 servers allowed us to build a tracker that gives us visibility over what’s being distributed by\r\nPrivateLoader. \r\nWe started tracking PrivateLoader in July 2022 and so far we’ve seen 1K+ URLs used to distribute 2K+ samples.\r\nAs an example, this URL was used to distribute 4 samples of Redline malware. We’ve seen many URLs from\r\nDiscord, VK, and Amazon CDNs, although domains and IPs are also often used.\r\nFigure 4 shows the top malware distributed by PrivateLoader this past July and August. Most of them are stealers,\r\nRedline being by far the most common, but there are also banking trojans, loaders, spambots, rats, miners\r\nand even ransomware. \r\nFig. 4 - Top Malware Families Distributed by PrivateLoader in July and August 2022.\r\nWe were able to identify with high confidence 30 malware families being distributed by PrivateLoader. They are\r\nAgentTesla, Amadey, ArrowRAT, AsyncRAT, Azorult, Colibri, Danabot, DCRat, Eternity, Fabookie, Formbook,\r\nGCleaner, Glupteba, Gozi_ISFB, PseudoManuscrypt, Nitol, NetSupport, Nymaim, PrivateLoader, Qakbot,\r\nRaccoon, Redline, SmokeLoader, Socelars, STOP, Tofsee, Vidar, WarzoneRAT, XMRig, and YTStealer. For some\r\nof them, we only encounter a couple of samples, and so they are included in the “others” slice.\r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nPage 4 of 7\n\nRegarding the unknown samples, since this classification was done in an automated way, some samples are harder\r\nto programmatically classify; some signatures probably need to be improved, but also some of them might be new\r\nunknown malware. By sampling and manually analyzing some of the unknown samples, we mainly identify\r\nRedline and SmokeLoader, although Fabookie, Vidar, Raccoon, and NekoStealer families were also observed.\r\nBitsight's partial visibility over the geographical distribution of PrivateLoader in July 2022 suggests that it’s\r\nspread worldwide, with a significant percentage of infections in India (21%) and Brazil (16%), as figure 5 shows.\r\nFig. 5 - Approximation of botnet distribution in July 2022.\r\nThe data used to populate this map is sampled, which means that the actual geographic distribution of\r\nPrivateLoader may be closer to this one but not exactly what this map suggests.\r\n0d7692792b4907f9470d3b1bb6ce8310 - NSIS installer\r\ne8fe5a28d052a908573b49ab0a904ca4 - PrivateLoader loader module\r\n5df119a002dcaf9b7ba82acfe35e4cb1 - PrivateLoader core module\r\n45abb1bedf83daf1f2ebbac86e2fa151 - PrivateLoader service module\r\nWe are currently uploading our live PrivateLoader IoCs and dropped malware to abuse.ch:\r\n- PrivateLoader samples by YARA hunting: https://yaraify.abuse.ch/yarahub/rule/privateloader/\r\n- PrivateLoader C2 servers: https://threatfox.abuse.ch/browse/malware/win.privateloader/\r\n- Drop URLs obtained from the C2 server: https://urlhaus.abuse.ch/browse/tag/PrivateLoader/\r\n- Malware samples from drop URLs: https://bazaar.abuse.ch/user/86185858/\r\nYara rule\r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nPage 5 of 7\n\nThe following rule was tested with VirusTotal Retrohunt, which returned 1K+ samples within a one-year time\r\nperiod:\r\nrule win_privateloader\r\n{\r\nmeta:\r\nauthor = \"andretavare5\"\r\ndescription = \"Detects PrivateLoader malware.\"\r\norg = \"Bitsight\"\r\ndate = \"2024-01-11\"\r\nsample = \"6f7f9de3238003897f35b86caf942f088f14e88ecb1a5a1329ef5a7d421f7008\"\r\nreference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader\"\r\nlicense = \"CC BY-NC-SA 4.0\"\r\nstrings:\r\n$hdr = \"Content-Type: application/x-www-form-urlencoded\" wide ascii\r\n$dom1 = \"ipinfo.io\" wide ascii\r\n$dom2 = \"db-ip.com\" wide ascii\r\n$dom3 = \"maxmind.com\" wide ascii\r\n$dom4 = \"ipgeolocation.io\" wide ascii\r\n$ua1 = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/74.0.3729.169 Safari/537.36\" wide ascii\r\n$ua2 = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/93.0.4577.63 Safari/537.36\" wide ascii\r\n$instr = {66 0F EF (4?|8?)} // pxor xmm(1/0) - str chunk decryption\r\ncondition:\r\nuint16(0) == 0x5A4D and // MZ header\r\nfilesize \u003e 100KB and filesize \u003c 10MB and\r\n$hdr and\r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nPage 6 of 7\n\nany of ($dom*) and\r\nany of ($ua*) and\r\n#instr \u003e 100\r\n}\r\nhttps://github.com/bitsight-research/threat_research/blob/main/privateloader/privateloader.yara\r\nSuricata rule\r\nThe following rule was tested with a PCAP generated from a sandbox run of the loader module:\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET 80 ( msg:\"BitSight MALWARE PrivateLoader\";\r\nflow:established,to_server; content:\"POST\";http_method; content:\"/base/api/getData.php\";http_uri;\r\ncontent:\"data=\";http_client_body; content:\"application/x-www-form-urlencoded\";http_header;\r\ncontent:\"Mozilla/5.0 (Windows NT 10.0|3B| Win64|3B| x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/\";http_user_agent; reference:url,www.bitsight.com/blog/tracking-privateloader-malware-distribution-service; sid:2008024;)\r\nhttps://github.com/bitsight-research/threat_research/blob/main/privateloader/privateloader.rules\r\nSource: https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service\r\nPage 7 of 7\n\nhttps://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service   \nFig. 2-Automated dynamic analysis of the loader module.\nFig. 3-Rule-based static analysis of the core module with CAPA.\n Page 3 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service"
	],
	"report_names": [
		"tracking-privateloader-malware-distribution-service"
	],
	"threat_actors": [],
	"ts_created_at": 1775434418,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d42d134eb42ee28f01aca3017ccbe9c9c8bcb112.pdf",
		"text": "https://archive.orkl.eu/d42d134eb42ee28f01aca3017ccbe9c9c8bcb112.txt",
		"img": "https://archive.orkl.eu/d42d134eb42ee28f01aca3017ccbe9c9c8bcb112.jpg"
	}
}