{
	"id": "b511c3c9-1d7f-4688-a8ee-e3705c089816",
	"created_at": "2026-04-10T03:21:46.965908Z",
	"updated_at": "2026-04-10T13:11:25.647386Z",
	"deleted_at": null,
	"sha1_hash": "d89a49b6e870526cd09e736def322d72fe043f8a",
	"title": "Peeking into PrivateLoader | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 406789,
	"plain_text": "Peeking into PrivateLoader | Zscaler\r\nBy Dennis Schwarz, Brett Stone-Gross\r\nPublished: 2022-04-28 · Archived: 2026-04-10 03:18:44 UTC\r\nKey Points\r\nPrivateLoader is a downloader malware family that was first identified in early 2021\r\nThe loader’s primary purpose is to download and execute additional malware as part of a pay-per-install (PPI)\r\nmalware distribution service\r\nPrivateLoader is used by multiple threat actors to distribute ransomware, information stealers, banking trojans,\r\ndownloaders, and other commodity malware\r\nPrivateLoader is a downloader malware family whose primary purpose is to download and execute additional malware.\r\nIntel 471 and Walmart reported on PrivateLoader’s pay-per-install (PPI) service that distributes malware on behalf of other\r\nthreat actors. The malware payloads can be selectively delivered to victims based on certain criteria (e.g. location,\r\ncryptocurrency or financial activity, on a corporate network, specific software installed, etc.) As previously reported, some\r\nof the payloads being distributed include Redline Stealer, Vidar Stealer, SmokeLoader, Stop ransomware, and other\r\ncommodity malware.\r\nThe PrivateLoader malware is written in the C++ programming language, and based on the existence of multiple versions\r\nit seems to be in active development. The name “PrivateLoader” comes from debugging strings that can be found in some\r\nversions of the malware, for example:\r\nC:\\Users\\Young Hefner\\Desktop\\PrivateLoader\\PL_Client\\PL_Client\\json.h\r\nPrivateLoader is modularized into a loader component and a main component.\r\nAnti-Analysis Techniques\r\nBoth the loader and main components of PrivateLoader make use of similar anti-analysis techniques. These anti-analysis\r\ntechniques include obfuscating integer constants with various mathematical operations as shown in Figure 1.\r\nFigure 1: Example of a PrivateLoader obfuscated integer constant.\r\nMost of the malware’s important strings are stored as encrypted stack strings where each string is decoded with its own\r\nXOR key as shown in Figure 2. A listing of PrivateLoader’s decrypted strings for the loader component can be found here\r\nand the main component’s decrypted strings can be found here.\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 1 of 9\n\nFigure 2: Example of a PrivateLoader encrypted stack string.\r\nMost of the important Windows DLL and API names used by PrivateLoader are also stored as encrypted stack strings.\r\nAfter decryption, PrivateLoader dynamically resolves the API functions at runtime. Finally, PrivateLoader adds junk code\r\nto obfuscate the program’s logic and control flow.\r\nLoader Component\r\nThe PrivateLoader loader component contains three dead drop resolver URLs hardcoded in the malware that communicate\r\nvia an HTTP GET request. An example of PrivateLoader’s dead drop resolvers is the following:\r\nhxxp://45.144.225[.]57/server.txt\r\nhxxps://pastebin[.]com/raw/A7dSG1te\r\nhxxp://wfsdragon[.]ru/api/setStats.php\r\nThe purpose of these resolvers is to retrieve PrivateLoader’s command and control (C2) address. The first two dead drop\r\nresolver URLs return a plaintext response, while the third dead drop resolver returns a response that is XOR encrypted\r\nwith a one-byte key (e.g., 0x6d). PrivateLoader expects the (decrypted) response to be in the format HOST:. An example\r\ndead drop resolver response is the following:\r\nHOST:212.193.30[.]21\r\nIf PrivateLoader is unable to retrieve the primary C2 address via the dead drop resolvers, there is a secondary C2 address\r\n(2.56.59[.]42) stored in the malware. The C2 address obtained from the dead drop resolver (or the hardcoded C2 address)\r\nis combined with the path /base/api/statistics.php. PrivateLoader sends an HTTP GET request to this URL, which in turn\r\nfetches another URL that is XOR encrypted with a one-byte key (0x1d). Similar to the previous request, PrivateLoader\r\nexpects the decrypted response from the C2 to be in the format URL:. An example of a decrypted response from the\r\nPrivateLoader C2 is shown below:\r\nURL:hxxps://cdn.discordapp[.]com/attachments/934006169125679147/963471252436172840/PL_Client.bmp\r\nPrivateLoader retrieves the content from this URL via an HTTP GET request. The response contains an unknown\r\nDWORD followed by encrypted data. To decrypt the data, first some of the bytes are replaced as shown in Table 1.\r\nByte to Replace Replacement Byte\r\n0x00 0x80\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 2 of 9\n\n0x80 0x0a\r\n0x0a 0x01\r\n0x01 0x05\r\n0x05 0xde\r\n0xde 0xfd\r\n0xfd 0xff\r\n0xff  0x55\r\n0x55 0x00\r\nTable 1: Replacement bytes used in PrivateLoader’s decryption algorithm.\r\nAfter the replacement, the data is XOR decrypted with a one-byte key (0x9d). The decrypted data contains the main\r\ncomponent, which is a DLL that is injected into the loader process and then executed. The loader passes a structure to the\r\nmain component containing: \r\nThe C2 IP address\r\nA hard coded integer used in some of the main component’s C2 communications\r\nA hard coded integer used to represent the campaign that the malware sample is associated with\r\nMain Component\r\nThe campaign ID passed in from the loader component is mapped to one of 33 campaign names as shown below in Table\r\n2.\r\nEU USA_1 USA_2 WW_1 WW_2 WW_3 WW_4\r\nWW_5 WW_6 WW_7 WW_OPERA WW_8 WW_9 WW_10\r\nWW_11 WW_12 WW_13 WW_14 WW_15 WW_P_1 WW_16\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 3 of 9\n\nWW_17 WW_P_2 WW_P_3 WW_P_4 WW_P_5 WW_P_6 WW_P_7\r\nWW_P_8 WW_18 WW_19 WW_20 WW_21    \r\nTable 2: Listing of PrivateLoader campaign names.\r\nThe sample analyzed for this blog post was configured with campaign ID 27 which maps to WW_P_7. The campaign a\r\nparticular sample is associated with determines what payloads are downloaded and executed. For some campaigns, the\r\npayload URLs are hardcoded into the main component (see the decrypted strings listing), while for others the payload\r\nURLs are retrieved from the C2.\r\nSome campaigns are also interested in a victim's cryptocurrency and banking activity. PrivateLoader performs this action\r\nby searching a large number of file paths, registry keys, browser extensions, and saved browser logins for the following\r\nbroad groups (see the decrypted strings listing for details):\r\ncryptoWallets browser\r\ncryptoWallets cold\r\ncryptoWallets_part1\r\ncryptoWallets_part2\r\ncryptoGames\r\nbankWallets\r\ncuBankWallets\r\nbankAUWallets\r\npaypal\r\nbankCAWallets\r\nbankWallets_part1\r\nbankWallets_part2\r\nbankMXWallets\r\nbankPKWallets\r\nbankESWallets\r\nshops\r\namazon_eu\r\nwebhosts\r\nVBMT (travel related sites)\r\nThe wallet and/or saved login data themselves aren’t exfiltrated, rather PrivateLoader just checks for the existence of them.\r\nThis data is likely used to help determine follow-on payloads such as stealer or banking malware that can make better use\r\nof the credentials.\r\nThe PrivateLoader main component creates a URL by combining the C2 address passed in from the loader with the path\r\n/base/api/getData.php. The malware then sends HTTP POST requests containing a command and various data. An\r\nexample PrivateLoader main component’s request and response is similar to Figure 3.\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 4 of 9\n\nFigure 3: Example C2 request and response by the PrivateLoader main component.\r\nThe POST data contents in the data field and corresponding response data can be decrypted as follows:\r\nReplace the characters \"_\" with \"/\" and \"-\" with \"+\"\r\nBase64 decode the data\r\nGenerate a 32-byte AES key and a 32-byte HMAC secret with PBKDF2\r\nThe password Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden is stored as an encrypted stack\r\nstring\r\nThe salt is stored as the first 16-bytes of the Base64 decoded data\r\nThe iteration count is hardcoded to 20,000\r\nThe HMAC hashing algorithm is SHA512\r\nAn IV is stored as the second 16-bytes of the Base64 decoded data\r\nAn HMAC hash is stored as the last 32-bytes of the Base64 decoded data\r\nBetween the IV and the HMAC hash is AES encrypted data\r\nThe HMAC hash is validated\r\nOnce decrypted, an example C2 beacon looks similar to the following:\r\nAddLoggerStat|WW_P_7|{\"extensions\":[],\"links\":[{\"id\":\"1916\"},{\"id\":\"468\"},{\"id\":\"1920\"},{\"id\":\"1750\"},\r\n{\"id\":\"1927\"},{\"id\":\"1929\"},{\"id\":\"1946\"},{\"id\":\"1985\"}],\"net_country_code\":\"US\",\"os_country_code\":\"US\"}\r\nEach field is pipe delimited and contains the following parameters:\r\nCommand\r\nCampaign name\r\nJSON object\r\nIn this example the JSON object contains:\r\nIDs of browser extension payloads that have been downloaded and executed\r\nIDs of hardcoded or retrieved payloads that have been downloaded and executed\r\nLocation of victim based on GeoIP\r\nLocation of victim based on system data\r\nThe response data depends on the command and can contain a simple status message (e.g. “success”) or a JSON object.\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 5 of 9\n\nC2 commands may include the following values:\r\nGetLinks - get payload URLs\r\nGetExtensions - get browser extension payload URLs\r\nAddExtensionStat - used to update C2 panel statistics\r\nGetIP - used to obtain the victim's external IP address\r\nAddLoggerStat - used to update C2 panel statistics\r\nSetIncrement|not_elevated - indicates if the malware's process token is not elevated\r\nSetIncrement|ww_starts\r\nGetCryptoSleeping\r\nIsUseDominationProject\r\nSetLoaderAnalyze\r\nAs an example of the GetLinks command, a listing of payload URLs returned for the analyzed sample’s campaign on\r\n04/14/2022 is available here. Some of the payload URLs are encrypted similarly to how the main component was\r\nencrypted, while others are unencrypted PE executable files. \r\nConclusion\r\nPrivateLoader is a typical downloader malware family that provides a PPI service that has gained traction as a viable\r\nmalware distribution method for multiple threat actors. PrivateLoader is currently used to distribute ransomware, stealer,\r\nbanker, and other commodity malware. The loader will likely continue to be updated with new features and functionality\r\nto evade detection and effectively deliver second-stage malware payloads.\r\nCloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 6 of 9\n\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the campaign\r\nat various levels with the following threat names:\r\nWin32.Trojan.PrivateLoader\r\nIndicators of Compromise\r\nIOC Notes\r\naa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5\r\nSHA256 hash\r\nof analyzed\r\nPrivateLoader\r\nloader\r\ncomponent\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 7 of 9\n\n077225467638a420cf29fb9b3f0241416dcb9ed5d4ba32fdcf2bf28f095740bb\r\nSHA256 hash\r\nof analyzed\r\nPrivateLoader\r\nmain\r\ncomponent\r\nhxxp://45.144.225[.]57/server.txt\r\nLoader\r\ncomponent\r\ndead drop\r\nresolver\r\nhxxps://pastebin[.]com/raw/A7dSG1te\r\nLoader\r\ncomponent\r\ndead drop\r\nresolver\r\nhxxp://wfsdragon[.]ru/api/setStats.php\r\nLoader\r\ncomponent\r\ndead drop\r\nresolver\r\n212.193.30[.]21\r\nPrimary C2\r\naddress\r\n2.56.59[.]42\r\nSecondary C2\r\naddress\r\n/base/api/statistics.php\r\nLoader\r\ncomponent\r\nURI\r\nhxxps://cdn.discordapp[.]com/attachments/934006169125679147/963471252436172840/PL_Client.bmp\r\nEncrypted\r\nmain\r\ncomponent\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 8 of 9\n\n/base/api/getData.php\r\nMain\r\ncomponent\r\nURI\r\nExplore more Zscaler blogs\r\nZscaler ThreatLabz 2024 Phishing Report\r\nThe Threat Prevention Buyer's Guide\r\nSource: https://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nhttps://www.zscaler.com/blogs/security-research/peeking-privateloader\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/peeking-privateloader"
	],
	"report_names": [
		"peeking-privateloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775791306,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d89a49b6e870526cd09e736def322d72fe043f8a.pdf",
		"text": "https://archive.orkl.eu/d89a49b6e870526cd09e736def322d72fe043f8a.txt",
		"img": "https://archive.orkl.eu/d89a49b6e870526cd09e736def322d72fe043f8a.jpg"
	}
}