{
	"id": "c0cadf02-190d-4a25-b286-10833b8349db",
	"created_at": "2026-04-06T00:10:06.488244Z",
	"updated_at": "2026-04-10T03:22:11.007734Z",
	"deleted_at": null,
	"sha1_hash": "d6397926793d16394d5527aedaf4954283e88b81",
	"title": "Private Malware for Sale: A Closer Look at AresLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 217101,
	"plain_text": "Private Malware for Sale: A Closer Look at AresLoader\r\nBy Flashpoint Intel Team\r\nPublished: 2023-03-06 · Archived: 2026-04-05 15:04:42 UTC\r\nA new private loader for sale\r\nIn December 2022, a private loader named “AresLoader” was advertised for sale on the top-tier Russian-language\r\nhacking forum XSS by a threat actor going by the name “DarkBLUP”. The seller claimed that they were selling\r\naccess to the malware for $300 per month and were only issuing ten licenses at a time.\r\nAccording to DarkBLUP, AresLoader is designed to camouflage itself as legitimate software while covertly\r\ndownloading harmful payloads. The sales ad also revealed that AresLoader operates through a single command\r\nand control (C2) panel that receives logs, and customers can create user accounts for the panel.\r\nSales thread posted to XSS by DarkBLUP. (Source: Flashpoint)\r\nThe AresLoader sellers have also set up a Telegram channel to facilitate discussions related to the bot. The IP\r\naddress of the C2 server indicates that it belongs to an autonomous system number (ASN) registered to the\r\nbulletproof hosting provider Partner LLC.\r\nHow AresLoader works\r\nFlashpoint analysts have evaluated a sample build of AresLoader and confirmed that it performs the advertised\r\nfunctions.\r\nhttps://flashpoint.io/blog/private-malware-for-sale-aresloader/\r\nPage 1 of 3\n\nAresLoader downloader function calls. (Source: Flashpoint)\r\nOnce dropped on the system, it scrapes the victim device’s IP address and time zone, generates a UUID for the\r\ninfected system, and beacons out to the C2 server with a POST request. This beacon includes the scraped data\r\nmentioned above as well as campaign identifiers such as an ‘owner_token.’\r\nAfter registering the loader on the C2 server, the loader downloads the expected legitimate file specified during\r\nthe build’s creation. It executes that file and downloads the additional harmful payloads. The downloaded files are\r\nsaved in a folder and then executed. AresLoader then creates a Registry AutoRun key to obtain and retain\r\nunauthorized access to the victim’s environment.\r\nIt is worth noting that the “owner_token” field identifies the AresLoader customer to whom the build belongs.\r\nSome customer tokens might be linked to threat actor accounts that were active in various illicit communities\r\ncollected by Flashpoint over the past two months.\r\nAresLoader panel and server\r\nThe AresLoader panel is managed and hosted by the malware seller, and it appears that all AresLoader builds\r\ncommunicate with a single server.\r\nhttps://flashpoint.io/blog/private-malware-for-sale-aresloader/\r\nPage 2 of 3\n\nAresLoader login landing page. (Source: Flashpoint)\r\nThis server’s IP address has been detected as the recipient of communication consistent with AresLoader’s\r\ncommand and control (C2) functions. Additionally, a file that resembles an AresLoader build has also been\r\nobserved communicating with this IP address.\r\nWhat security teams can learn from ASNs\r\nThe IP address used by AresLoader’s server belongs to the autonomous system number (ASN) AS204603 and is\r\nregistered as Partner LLC. Note that the use of “LLC” in the ASN name does not necessarily indicate the company\r\nis a registered LLC; it may be part of the name. This ASN exhibits several traits characteristic of bulletproof\r\nhosting providers.\r\nBulletproof hosting providers are similar to standard hosting providers but cater to threat actors who seek to host\r\nmalicious infrastructure without fear of the servers being taken down due to abuse policies.\r\nIdentifying bulletproof hosting provider ASNs can be useful to security researchers and organizations with the\r\nability to block IP ranges. These ASNs’ announced IP ranges are highly unlikely to host legitimate services,\r\nmaking them valuable in identifying malicious infrastructure or preventing malicious activity proactively.\r\nPartner LLC also hosts the “Shark” stealer panel, indicating that the ASN supports other malicious infrastructure\r\nbesides AresLoader. Additionally, another Partner LLC IP hosts securespend[.]org, a phishing site masquerading\r\nas securespend[.]com.\r\nShodan result for Shark Stealer Panel. (Source: Shodan)\r\nProtect your organization’s critical infrastructure with Flashpoint\r\nFlashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate\r\ncyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat\r\nintelligence, get started with a free Flashpoint trial.\r\nSource: https://flashpoint.io/blog/private-malware-for-sale-aresloader/\r\nhttps://flashpoint.io/blog/private-malware-for-sale-aresloader/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://flashpoint.io/blog/private-malware-for-sale-aresloader/"
	],
	"report_names": [
		"private-malware-for-sale-aresloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434206,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6397926793d16394d5527aedaf4954283e88b81.pdf",
		"text": "https://archive.orkl.eu/d6397926793d16394d5527aedaf4954283e88b81.txt",
		"img": "https://archive.orkl.eu/d6397926793d16394d5527aedaf4954283e88b81.jpg"
	}
}