{
	"id": "3a1c9259-3fe3-4cf4-a08d-ca43aca15fed",
	"created_at": "2026-04-06T00:10:54.458532Z",
	"updated_at": "2026-04-10T03:20:21.599825Z",
	"deleted_at": null,
	"sha1_hash": "ebebba1a514fcb590d5a70c19c93e4c5012283cb",
	"title": "NullMixer Drops Multiple Malware Families",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4813312,
	"plain_text": "NullMixer Drops Multiple Malware Families\r\nBy PolySwarm Tech Team\r\nArchived: 2026-04-05 14:54:58 UTC\r\nRelated Families: SmokeLoader, RedLine Stealer, PseudoManuscrypt, ColdStealer, FormatLoader,\r\nCsdiMonetize, Disbuk, Fabookie, DanaBot, Racealer, Generic.ClipBanker, SgnitLoader, ShortLoader,\r\nDownloader.INNO, LgoogLoader, Downloader.Bitser, C-Joker, PrivateLoader, Satacom, GCleaner, Vidar\r\nVerticals Targeted: Multiple\r\nExecutive Summary\r\nKaspersky recently reported on NullMixer, a dropper used to drop a myriad of malware families, including\r\nSmokeLoader, RedLine Stealer, PseudoManuscrypt, ColdStealer, FormatLoader, CsdiMonetize, Disbuk,\r\nFabookie, DanaBot, Racealer, Generic.ClipBanker, SgnitLoader, ShortLoader, Downloader.INNO, LgoogLoader,\r\nDownloader.Bitser, C-Joker, PrivateLoader, Satacom, GCleaner, and Vidar. \r\nKey Takeaways\r\nNullMixer drops a myriad of malware families.\r\nNullMixer is typically disguised as software related to cracks, keygens, and activators. \r\nCurrently, at least 21 families are dropped by NullMixer, including bankers, backdoors, stealers, and\r\nothers.\r\nhttps://blog.polyswarm.io/nullmixer-drops-multiple-malware-families\r\nPage 1 of 3\n\nWhat is NullMixer?NullMixer is a dropper currently being used to drop multiple malware families. According to\r\nKaspersky, NullMixer is spread via malicious websites related to cracks, keygens, and activators used for software\r\npiracy. Most NullMixer activity was observed targeting users in the US, Brazil, India, Russia, Italy, Germany,\r\nFrance, Egypt, and Turkey.The threat actors behind NullMixer employ sophisticated SEO to stay near the top of\r\nsearch results. When unwitting victims attempt to download software from the sites, they experience multiple\r\nredirects, eventually landing on a page containing an archived password-protected file. While the victims think\r\nthey are downloading the desired software, the archive actually contains NullMixer.NullMixer drops the following\r\nmalware families:\r\nSmokeLoader\r\nSmokeLoader is a modular malware primarily used to download and execute other payloads.RedLine Stealer\r\nRedLine Stealer is a stealer malware that harvests various types of information, including saved credentials,\r\nautocomplete data, cryptocurrency, and credit card information. It also takes a system inventory of the victim’s\r\nmachine, gathering information on the username, location data, hardware configuration, and installed security\r\nsoftware. RedLine Stealer can also upload and download files, execute commands, and send information about the\r\ninfected computer to the C2.PseudoManuscrypt\r\nPseudoManuscrypt is a MaaS (malware as a service)  used to steal cookies from multiple applications, including\r\nFirefox, Chrome, Edge, Opera, and Yandex. The malware also allows keylogging and cryptocurrency theft using\r\nClipBanker. PseudoManuscrypt uses the KCP protocol to download additional plugins.ColdStealer\r\nColdStealer is used to steal multiple types of information, including crypto wallets, FTP credentials, and\r\ncredentials from browsers.FormatLoader\r\nFormatLoader uses hardcoded URLs as format strings. It is used to download an additional file and infect a\r\nvictim's machine.CsdiMonetize\r\nCsdiMonetize is an advertising platform typically used to install PUAs (potentially unwanted applications). It also\r\ndrops trojans, such as Glupteba.Disbuk\r\nDisbuk, also known as Socelar, steals Facebook cookies from Chrome and Firefox, access tokens, account IDs,\r\nand Amazon cookies. It installs a malicious browser extension masquerading as Google Translate.Fabookie\r\nFabookie targets Facebook ads and steals browser session cookies. It also uses Facebook Graph API Queries to\r\nharvest information about a user’s account, linked payment method, balance, and friends.DanaBot\r\nDanaBot is a modular banking trojan. Functionalities include stealing information and injecting fake forms to\r\ncollect payment data. It can also give a threat actor full remote access to a machine using the VNC plugin.\r\nRacealer\r\nRacealer, also known as RaccoonStealer, is a relatively unsophisticated malware as a service written in C/C++.\r\nMore recent versions use Telegram to retrieve C2 information and malware configurations.Generic.ClipBanker\r\nGeneric.ClipBanker is a clipboard hijacker. It monitors the victim machine for cryptocurrency addresses and\r\nreplaces them with the threat actor’s cryptocurrency wallet address to intercept payments.SgnitLoader\r\nSgnitLoader is a trojan downloader written in C#.ShortLoader\r\nShortLoader is another trojan downloader.\r\nDownloader.INNO\r\nDownloader.INNO is an Inno Setup installer that utilizes Inno Download Plugin to download a file from the C2.\r\nhttps://blog.polyswarm.io/nullmixer-drops-multiple-malware-families\r\nPage 2 of 3\n\nThe downloaded file is related to the Satacom downloader family.LgoogLoader\r\nLgoogLoader is an installer that drops three files:  a batch file, an AutoIt interpreter, and an AutoIt script. After\r\ndownloading, it executes the batch file.Downloader.Bitser\r\nDownloader.Bitser is an NSIS installer that installs Lightning Media Player and runs bitsadmin to download\r\nadditional files.C-Joker\r\nC-Joker is an Exodus wallet stealer.\r\nPrivateLoader\r\nPrivateLoader is a pay-per-install loader similar to LgoogLoader and SmokeLoader.Satacom\r\nSatacom, also known as LegionLoader, is a loader that uses anti-analysis methods borrowed from al-khazer.GCleaner\r\nGCleaner is a pay-per-install loader. It was previously distributed as Garbage Cleaner, which mimicked CCleaner.\r\nGCleaner is used to download PUAs such as Azorult, Vidar, Predator the Thief, and others.Vidar\r\nVidar is an infostealer that employs password grabbing. It steals browser autofill information, cookies, saved\r\npayment information, browser history, coin wallets, and Telegram databases. It can also take\r\nscreenshots.IOCsPolySwarm has multiple samples of\r\nNullMixer.f2ec0aaf1cd2359465bd42b1951d1c59267137ddba96c85f28c981d622ecf093\r\nb69a81971bd4800d1737ef67ef47e5b6793723c1fd4b75dfbdddf8b28bd93dd5\r\nc91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465aYou can use the following CLI\r\ncommand to search for all NullMixer samples in our portal:\r\n$ polyswarm link list -f NullMixer\r\nDon’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.\r\nContact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports\r\nSource: https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families\r\nhttps://blog.polyswarm.io/nullmixer-drops-multiple-malware-families\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families"
	],
	"report_names": [
		"nullmixer-drops-multiple-malware-families"
	],
	"threat_actors": [],
	"ts_created_at": 1775434254,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ebebba1a514fcb590d5a70c19c93e4c5012283cb.pdf",
		"text": "https://archive.orkl.eu/ebebba1a514fcb590d5a70c19c93e4c5012283cb.txt",
		"img": "https://archive.orkl.eu/ebebba1a514fcb590d5a70c19c93e4c5012283cb.jpg"
	}
}