{
	"id": "304ec033-66a2-4d4a-8cf3-e0de9231ed2f",
	"created_at": "2026-04-06T00:19:45.84501Z",
	"updated_at": "2026-04-10T03:21:47.967161Z",
	"deleted_at": null,
	"sha1_hash": "e23b7a6e0c210aa2e92ad779c5dded5962f19b89",
	"title": "PrivateLoader: The first step in many malware schemes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70003,
	"plain_text": "PrivateLoader: The first step in many malware schemes\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 18:19:03 UTC\r\nPay-per-install (PPI) malware services have been an integral part of the cybercrime ecosystem for a considerable amount of\r\ntime. A malware operator provides payment, malicious payloads and targeting information, and those responsible for\r\nrunning the service outsource the distribution and delivery. The accessibility and moderate costs allow malware operators to\r\nleverage these services as another weapon for rapid, bulk and geo-targeted malware infections.\r\nBy understanding how these services proliferate, defenders can better recognize these campaigns and stop them from\r\nwreaking havoc on their organization’s IT stack. This report focuses on the PrivateLoader modular downloader programmed\r\nin the C++ programming language connected to an unidentified PPI service. PrivateLoader sits at the front of this operation\r\nand communicates with its back-end infrastructure to retrieve URLs for the malicious payloads to “install” on the infected\r\nhost. As is the case with downloaders tied to PPI services, PrivateLoader communicates a variety of statistics such as which\r\npayloads were downloaded and launched successfully.\r\nDistribution campaigns generally rely on a network of search engine optimization (SEO) enhanced websites that lure\r\nunsuspecting victims searching for warez aka pirated software to download and execute malware. A password-protected\r\narchive typically is delivered that contains a setup file that embeds and executes multiple malicious payloads on the infected\r\nhost such as GCleaner, PrivateLoader, Raccoon, Redline, Smokeloader and Vidar malware. We assess these campaigns\r\nstarted to incorporate PrivateLoader since at least May 2021.\r\nThis report investigates the PPI service behind it and methods operators employ to obtain “installs” and presents details\r\nabout the malware families the service delivers.\r\nHow PrivateLoader works\r\nThe service behind this PrivateLoader PPI campaign and its operators are unknown, as it was not possible to connect the\r\ndownloader to a specific underground PPI service at the time of this report. However, we observed PrivateLoader’s main\r\ncommand and control (C2) servers also host the administration panel, which is based on the AdminLTE 3 dashboard\r\ntemplate. The image below shows the authentication page:\r\n[Image: Private Loader authentication page - Image 1: This image depicts the PrivateLoader authentication page.]\r\nThe front-end script, which uses the Javascript library app.js, appears to expose functionalities offered to panel users. The\r\ntable below describes interesting JavaScript functions in the script:\r\nFUNCTION DESCRIPTION ENDPOINT AND PARAMETERS\r\nAddNewUser\r\nAdds a new user with\r\na specific role.\r\n/base/user_reg.php login: User login.password: User\r\npassword.role: User role as an integer.\r\nsaveUser\r\nModifies an existing\r\nuser.\r\n/base/user_reg.php user_id: User identifier.login: New user\r\nlogin.password: New user password.role: New user role as an\r\ninteger.banned: Banned status as an integer.\r\nAddNewLink\r\nAdds a loader link\r\nconfiguration to a\r\npayload to install.\r\n/base/link_add.php link_url: Download link to the payload to\r\ninstall.link_status: Link status as an integer.link_geo:\r\nTargeted geolocation as an integer.link_dmethod: Link\r\ndistribution method as an integer.\r\nEditStatusLink Updates the status of a\r\nloader link\r\n/base/link_edit.php link_id: Loader link identifier.link_status:\r\nNew status as an integer.\r\nhttps://intel471.com/blog/privateloader-malware\r\nPage 1 of 7\n\nconfiguration.\r\neditUrlLink\r\nEdits the URL for a\r\nloader link\r\nconfiguration.\r\n/base/link_url_edit.php link_id: Loader link\r\nidentifier.link_url: Updated download link.\r\nremoveLink\r\nRemoves a loader link\r\nconfiguration.\r\n/base/link_del.php link_id: Loader link identifier.\r\nEditGeoLink\r\nEditGeoLinkIdx\r\nUpdates the\r\ngeolocation targeting\r\nfor a loader link\r\nconfiguration.\r\n/base/link_edit_geo.php link_id: Loader link\r\nidentifier.link_geo: New targeted geolocation as an integer.\r\nsaveLinkInformation\r\nModifies an existing\r\nloader link\r\nconfiguration.\r\n/base/link_edit_info.php link_id: Loader link\r\nidentifier.link_url: Download link of the payload.link_status:\r\nStatus as an integer.link_geo: Targeted geolocation as an\r\ninteger.link_ftype: Selected category identifier of the payload\r\nas an integer.link_countries: Targeted countries as a\r\nstring.link_arguments: Arguments to pass to the payload as a\r\nstring.link_onlybytype: Integer that indicates to run the\r\npayload only if the category identifier matches.link_subgeo:\r\nSubgeolocation as a string.link_dmethod: Link distribution\r\nmethod as an integer.\r\nAddNewExtension\r\nAdds a configuration\r\nto a browser extension\r\nto install.\r\n/base/extension_add.php extension_url: Download link to the\r\nbrowser extension to install.config_url: Download link to the\r\nconfiguration of the browser extension.ext_status: Extension\r\nstatus as an integer.ext_geo: Targeted geolocation as an\r\ninteger.\r\neditUrlExtension\r\nEdits the URL for a\r\nbrowser extension\r\nconfiguration.\r\n/base/extension_url_edit.php extension_id: Extension\r\nidentifier.ext_url: New link to the extension.cfg_url: New\r\nlink to the extension configuration.\r\nremoveExtension\r\nRemoves a browser\r\nextension\r\nconfiguration.\r\n/base/extension_del.php ext_id: Extension identifier.\r\nsaveExtensionInformation\r\nModifies an existing\r\nbrowser extension\r\nconfiguration.\r\n/base/extension_edit_info.php ext_id: Extension\r\nidentifier.ext_url: Download link of the extension.cfg_url:\r\nDownload link of the extension configuration.ext_status:\r\nExtension status as an integer.ext_geo: Targeted geolocation\r\nas an integer.ext_countries: Targeted countries as a string.\r\nLoadFileToEncrypt\r\nEncrypts a file.\r\nPossibly uses the byte\r\nsubstitution and XOR\r\nalgorithm described in\r\nthe Malware Report\r\n/base/file_crypt.php Multipart form POST request with the\r\nfile to encrypt.\r\nCalculateAllLinksLoads\r\nReturns the number of\r\ntotal and unique\r\ninstalled payloads for\r\nall link identifiers.\r\n/base/logger_counter.php ids: All link identifiers.\r\nhttps://intel471.com/blog/privateloader-malware\r\nPage 2 of 7\n\nCalculateCurrentLinksLoads\r\nReturns the number of\r\ntotal and unique\r\ninstalled payloads for\r\na link identifier.\r\n/base/logger_counter.php ids: Single link identifier.\r\nDelivering the PrivateLoader downloader\r\nPrivateLoader is delivered through a network of websites that claim to provide “cracked” software, which is modified\r\nversions of popular legitimate applications that people commonly use. These websites are SEO optimized and usually appear\r\nat the top of search queries that contain keywords such as “crack” or “crack download,” preceded by the software name.\r\nFor example, a search for “Malwarebytes crack” returns the following websites as the fourth and fifth results:\r\n[Image: Malwarebytes crack search results - This image depicts “Malwarebytes crack” search results.]\r\nVisitors are lured into clicking a “Download Crack” or “Download Now” button to obtain an allegedly cracked version of\r\nthe software. The JavaScript for the download button is retrieved from a remote server.\r\n[Image: Malwarebytes cracked version download option - This image depicts an option to allegedly download a cracked\r\nversion of the software.]\r\nAfter a few redirections, the final payload is served to the user as a password-protected compressed (.zip) archive. The\r\nscreenshot below shows the actual download page:\r\n[Image: Cracked version download page - This image depicts the download page.]\r\nIn our example, the archive served was named “PASSWORD_IS_324325____Malwarebytes-Pr.zip.” It contained a Nullsoft\r\nScriptable Install System (NSIS) installer named “setup_x86_x64_install.exe,” which embeds and executes numerous\r\nmalicious payloads such as GCleaner, PrivateLoader and Redline.\r\nResearchers from SophosLabs previously investigated this delivery network and tied some of its infrastructure to the\r\nInstallUSD PPI service.\r\nMalware families dropped\r\nAutomated malware coverage and tracking for PrivateLoader started in early September 2021. We have since gathered\r\nsizable amounts of data that helped us learn more about the service.\r\nThe following chart shows the number of unique hashes downloaded by PrivateLoader for each malware family our\r\nMalware Intelligence systems detected. The most popular families this PPI service distributed in descending order were\r\nSmokeloader, Redline and Vidar:\r\n[Image: Hashes Malware Family 02 Feb2022 - This chart shows the number of unique hashes downloaded by PrivateLoader\r\nfor each malware family our Malware Intelligence systems detected.]\r\nEach PrivateLoader sample embeds a region code that is communicated to the C2 server and country of the bot. The chart\r\nbelow depicts the number of unique hashes downloaded per region code in the duration of coverage. We believe the “WW”\r\nprefix in these region codes stands for “worldwide,” since it was most commonly found in samples. On the panel side, we\r\nsuspect this code represents the “link_geo” parameter described in the previous table.\r\n[Image: Hashes Region Code 02 Feb2022 - This chart depicts the number of unique hashes downloaded per region code.]\r\nHowever, we observe a different distribution when querying the number of unique hashes by bots’ country codes (see: chart\r\nbelow). This is expected since popular worldwide region codes encapsulate multiple countries.\r\n[Image: Hashes Country Code 02 Feb2022 - This chart depicts the number of unique hashes downloaded per country code.]\r\nSmokeloader\r\nhttps://intel471.com/blog/privateloader-malware\r\nPage 3 of 7\n\nOf the payloads we saw pushed by PrivateLoader, the most common was Smokeloader. The following chart shows the\r\nextracted affiliate IDs (or lack thereof) from all unique Smokeloader samples detected by our Malware Intelligence systems:\r\n[Image: Smokeloader I Ds 02 Feb2022 - This chart shows the percentage of extracted affiliate IDs from all unique\r\nSmokeloader samples detected by our Malware Intelligence systems.]\r\nThe top 10 detected domains used to deliver Smokeloader included:\r\nHOST NAME UNIQUE SAMPLES DOWNLOADED\r\nprivacytoolz123foryou[.]top 321\r\nthreesmallhills[.]com 296\r\nprivacy-toolz-for-you-5000[.]top 264\r\nprivacytoolzforyou-7000[.]top 231\r\nprivacytoolzforyou-7000[.]com 212\r\nprivacytoolzforyou7000[.]top 200\r\nprivacytoolzforyou-6000[.]top 179\r\nprivacy-toolz-for-you-403[.]top 177\r\nprivacy-tools-for-you-777[.]com 150\r\nprivacytoolzforyou6000[.]top 136\r\nIt’s apparent the operators running the “Privacy tools” domains heavily rely on PrivateLoader to deliver Smokeloader. An\r\ninspection of active distribution URLs showed these domains host a website that claims to offer “Privacy Tools.” This\r\nwebsite likely is spoofing the real PrivacyTools[.]io website run by volunteers who advocate for data privacy.\r\n[Image: Spoof Privacy Tools website - This image depicts the landing page of one of the “Privacy tools” domains.]\r\nThese websites host Smokeloader payloads as part of three categories named “pab1”, “pab2” and “pab3”. These are not\r\nnecessarily linked to the analogous “pub*” affiliate IDs, since we have seen some “pab2” payloads with the “555” affiliate\r\nID. While tracking PrivateLoader, we only received links to download the “pab2” payloads from these websites. It is likely\r\nthese operators use other methods or PPI services to distribute the Smokeloader family.\r\nOn Oct. 22, 2021, a “pab2” Smokeloader sample downloaded by PrivateLoader from one of these websites delivered the\r\nQbot banking trojan. This is an unusual distribution method for Qbot and revealed the new botnet ID star01.\r\nBanking trojans\r\nThere are other actors throughout the underground that leverage PrivateLoader for banking trojan distribution.\r\nOn Oct. 31, 2021, PrivateLoader bots connecting from European countries were instructed to download and execute the\r\nKronos banking trojan from the following URL:\r\nhxxp://2.56.59[.]42/EU/Yandex1500[.]exe\r\nThe downloaded sample also executed the Vidar information stealer. The download and execute commands for this sample\r\nstopped the following day.\r\nOn Nov. 1, 2021, PrivateLoader bots downloaded Dridex samples tied to the 10444 botnet, and Danabot with the affiliate\r\nidentifier 40. The same day, bots also downloaded Trickbot samples with the group tags (gtags) lip*, tot* and top*. In all\r\ncases, the delivered samples embedded other malware families such as other banking trojans, information stealers or\r\nransomware.\r\nhttps://intel471.com/blog/privateloader-malware\r\nPage 4 of 7\n\nSAMPLE HASH\r\nMALWARE\r\nFAMILIES\r\nFIRST\r\nSEEN\r\n(UTC)\r\nLAST\r\nSEEN\r\n(UTC)\r\nOTHE\r\nDETE\r\nFAMIL\r\n14e7cc2eadc7c9bac1930f37e25303212c8974674b21ed052a483727836a5e43\r\nTrickbot:\r\ntop142\r\n2021-11-\r\n0117:19:30\r\n2021-11-\r\n0118:39:25\r\nNanoco\r\nRAT\r\nSmoke\r\nRedlin\r\n4554dc95f99d6682595812b677fb131a7e7c51a71daf461a57a57a0d903bb3fa\r\nTrickbot:\r\ntot160\r\nTrickbot:\r\ntop141\r\nDridex:\r\n10444\r\n2021-11-\r\n0111:20:11\r\n2021-11-\r\n0207:17:40\r\nTofsee\r\nRedlin\r\n4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff\r\nTrickbot:\r\nlip143\r\nTrickbot:\r\ntop142\r\n2021-11-\r\n0117:27:39\r\n2021-11-\r\n0207:46:21\r\nnjRAT\r\nDjvu R\r\nVidar\r\n5adbe8d0375d6531f1a523085f4df4151ad1bd7ae539692e2caa3d0d73301293\r\nTrickbot:\r\nlip142\r\nDridex:\r\n10444\r\n2021-11-\r\n0115:56:02\r\n2021-11-\r\n0202:03:00\r\nRemco\r\nTofsee\r\n6abbd89e6ab5e1b63c38a8f78271a97d19bafff4959ea9d5bd5da3b185eb61e6\r\nTrickbot:\r\ntop141\r\n2021-11-\r\n0112:51:32\r\n2021-11-\r\n0202:02:59\r\nRedlin\r\n929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7\r\nDridex:\r\n10444\r\n2021-11-\r\n0117:29:03\r\n2021-11-\r\n0118:41:08\r\nSmoke\r\nRedlin\r\naae0553b761e8bb3e58902a46cd98ee68310252734d1f8d9fd3b862aab8ed5c9\r\nTrickbot:\r\nlip142\r\n2021-11-\r\n0116:14:42\r\n2021-11-\r\n0216:54:50\r\nRedlin\r\nbf7b5f72b2055cfc8da01bb48cf5ae8e45e523860e0b23a65b9f14dbdbb7f4ee\r\nTrickbot:\r\nlip141\r\nTrickbot:\r\ntop141\r\nTrickbot:\r\ntop142\r\nDridex:\r\n10444\r\nDanabot:\r\naffid 40\r\n2021-11-\r\n0111:14:58\r\n2021-11-\r\n0118:41:14\r\nRedlin\r\nQuasar\r\neef15f6416f756693cbfbfd8650ccb665771b54b4cc31cb09aeea0d13ec640cf\r\nTrickbot:\r\nlip141\r\nTrickbot:\r\nlip142\r\nTrickbot:\r\nlip143\r\nTrickbot:\r\ntop141\r\n2021-11-\r\n0115:01:07\r\n2021-11-\r\n0202:03:33\r\nSmoke\r\nLockbi\r\nRedlin\r\nhttps://intel471.com/blog/privateloader-malware\r\nPage 5 of 7\n\nf9246be51464e71ff6b37975cd44359e8576f2bf03cb4028e536d7cfde3508fc\r\nTrickbot:\r\nlip141\r\nTrickbot:\r\nlip142\r\n2021-11-\r\n0115:09:14\r\n2021-11-\r\n0207:17:30\r\nRedlin\r\nfcc49c9be5591f241ffd98db0752cb9e20a97e881969537fba5c513adbd72814\r\nTrickbot:\r\nlip142\r\nDridex:\r\n10444\r\n2021-11-\r\n01\r\n17:27:43\r\n2021-11-\r\n0118:41:04\r\nRedlin\r\nThe sample with the hash 929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7 that embedded both\r\nDridex and Smokeloader was downloaded from the following URL:\r\nhxxp://privacytoolzfor-you6000[.]top/downloads/toolspab2.exe\r\nIn the previous subsection, we linked the “Privacy tools” websites to Smokeloader operators. It is unclear whether the\r\noperators behind these websites operated the Dridex 10444 botnet or only acted as a link in the delivery chain. However, we\r\ncan assume the “Privacy tools” website was used for distribution since the same Dridex botnet identifier and controllers\r\nwere seen across different hashes and delivery URLs during this period.\r\nSeeing downloads for Danabot, Dridex, Kronos and Trickbot for the first time within the same time frame hardly can be\r\nregarded as a coincidence. Moreover, these trojans often were bundled with each other. Therefore, we assess a single entity\r\nlikely operating these specific botnets was using the PrivateLoader PPI service at the time.\r\nOn Nov. 14, 2021, PrivateLoader bots started to download samples of the Danabot banking trojan with the affiliate ID 4 for\r\na single day.\r\nBased on these short outbursts that lasted no more than a day, we suspect the banking trojan operators were experimenting\r\nwith this PPI service as another delivery mechanism for their malware.\r\nRansomware\r\nUnderground PPI services generally advise against deploying ransomware on target machines since it renders them\r\nunusable. However, cybercriminals have a reputation of not adhering to rules and deploy ransomware anyway.\r\nThe only time in which we detected ransomware samples downloaded by PrivateLoader was when it dropped banking\r\ntrojans in early November 2021. The table in the previous subsection showed downloads for the LockBit and STOP Djvu\r\nransomware families.\r\nWhile analyzing payloads downloaded by PrivateLoader, we identified a new loader we dubbed Discoloader. Discoloader\r\nwas written using the .NET framework and uses the Discord content delivery network (CDN) to host its payload. Although\r\nnot directly from PrivateLoader, we observed samples of this family delivering Conti ransomware directly into infected\r\nhosts, which is an uncharacteristic delivery mechanism since this family typically only is deployed after total compromise of\r\nenterprise networks.\r\nConclusion\r\nPPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to\r\nsoftware that provides them a wide array of options to easily achieve their goals. As we have detailed, criminals have used\r\nPrivateLoader to launch all kinds of schemes. By highlighting the versatility of this malware, we hope to give defenders the\r\nchance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader.\r\nMITRE ATT\u0026CK techniques\r\nThis report uses the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT\u0026CK) framework.\r\nhttps://intel471.com/blog/privateloader-malware\r\nPage 6 of 7\n\nTECHNIQUE\r\nTITLE\r\nID USE\r\nResource\r\nDevelopment\r\n[TA0042]\r\nStage Capabilities:\r\nUpload Malware\r\nT1608.001\r\nPrivateLoader often hosts malicious payloads on the Discord CDN. We\r\nobserved recent controllers downloading attachments from just the\r\n891006172130345095, 905701898806493199 and 896617596772839426 IDs.\r\nPersistence [TA0003]\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\nT1543.003\r\nPrivateLoader can be persisted as a startup service and is installed with the\r\nfollowing attributes: Service name: PowerControl.Service display name:\r\n\"Power monitoring service for your device.\"Service start type: At system\r\nstartup.Service binary path: C:\\Program Files.\r\n(x86)\\PowerControl\\PowerControl_Svc.exe.\r\nScheduled Task/Job:\r\nScheduled Task\r\nT1053.005\r\nThe PrivateLoader service module always persists as a scheduled task that\r\nexecutes every hour. It also can be persisted as a logon scheduled task when a\r\nWindows service is not used.\r\nBrowser Extensions T1176\r\nPrivateLoader can download and silently install malicious browser extensions\r\non Google Chrome and Microsoft Edge browsers.\r\nPrivilege Escalation\r\n[TA0004]\r\nAbuse Elevation\r\nControl Mechanism:\r\nBypass User Account\r\nControl\r\nT1548.002\r\nThe PrivateLoader core module uses a Windows 10 user account control (UAC)\r\nbypass technique to elevate privileges. The bypass uses a widely documented\r\ntechnique involving the ComputerDefaults.exe system executable (.exe) file,\r\nwhich has the auto-elevate option set.\r\nSource: https://intel471.com/blog/privateloader-malware\r\nhttps://intel471.com/blog/privateloader-malware\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/privateloader-malware"
	],
	"report_names": [
		"privateloader-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434785,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e23b7a6e0c210aa2e92ad779c5dded5962f19b89.pdf",
		"text": "https://archive.orkl.eu/e23b7a6e0c210aa2e92ad779c5dded5962f19b89.txt",
		"img": "https://archive.orkl.eu/e23b7a6e0c210aa2e92ad779c5dded5962f19b89.jpg"
	}
}