{ "id": "abb6a70a-d1c2-4a90-92f5-e6bd72226ab4", "created_at": "2026-04-06T00:11:27.965089Z", "updated_at": "2026-04-10T03:20:03.143298Z", "deleted_at": null, "sha1_hash": "eeb3ec1ce9903698763012ff83b198f2fff7871d", "title": "Kardon Loader Looks for Beta Testers | NETSCOUT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 618318, "plain_text": "Kardon Loader Looks for Beta Testers | NETSCOUT\r\nArchived: 2026-04-05 16:15:17 UTC\r\nKey Findings\r\nASERT researchers discovered Kardon Loader being advertised on underground forums.\r\nKardon Loader features functionality allowing customers to open their own botshop, which grants the\r\npurchaser the ability to rebuild the bot and sell access to others.\r\nKardon Loader is in early stages of development, public beta.\r\nIncorporates numerous anti-analysis checks to discourage analysis.\r\nExecutive Summary\r\nKardon Loader is a malware downloader advertised on underground forums as a paid open beta product. This\r\nmalware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale\r\nof the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in\r\nwhich case any customer can establish their own operation and further sell access to a new customer base.\r\nMalware authors and distributors leverage downloader malware and botshops to build malware distribution\r\nnetworks. Malware distribution networks are commonly used by cyber criminals to create\r\nbotnets to distribute additional payloads such as credential theft malware, ransomware, banking Trojans, and\r\nothers. These distribution networks are often run by third party operators and offered as a service in underground\r\nmarkets.\r\nNOTE: ASERT actively collects indicators associated with this malware family to provide protection for\r\nour Netscout Arbor customers. \r\nHistory\r\nOn April 21, 2018 actor Yattaze began advertising the open public beta of a downloader named Kardon Loader for\r\n$50. The description of the malware family suggests this malware was a rebrand of the ZeroCool botnet which\r\nwas under development previously by the same actor. The actor has had an account on the forum since April 2017\r\nand received multiple vouches for this product. The advertisement for the loader is professional looking with its\r\nown logo (Figure 1 \u0026 Figure 2). \r\nKardon Loader Advertisement\r\nFigure 1: The advertisement for the loader is professional looking with its own logo.\r\nhttps://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nPage 1 of 8\n\nhttps://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nPage 2 of 8\n\nFigure 2: Kardon Loader Pricing[/caption] The actor provides a disclaimer stating this software should not be used\r\nfor malicious purposes (Figure 3). \r\nFigure 3: Kardon Loader Disclaimer[/caption] Additionally, the actor uploaded a YouTube video showing the\r\npanel functionality from an admin standpoint (Figure 4). \r\n Figure 4: Kardon Loader\r\nYouTube Walkthrough \r\nDistribution\r\nInsights gained from the forum thread suggest the actor initially conducted tests by leveraging a well-known botshop named “Pink Panther’s automated loads shop (Pink)”. Commentary from the actor reveals this bot\r\nis not widely distributed at this time. Only 124 infections are shown in a screenshot of the loader’s test\r\nnetwork posted by the actor (Figure 5).\r\nhttps://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nPage 3 of 8\n\nFigure 5: Kardon Loader Administrator Panel Showing Infections[/caption]\r\nAnalysis\r\nThe actor alleges the following functionality is available or forthcoming to Kardon Loader:\r\nBot Functionality\r\nDownload and Execute Task\r\nUpdate Task\r\nUninstall Task\r\nUsermode Rootkit\r\nRC4 Encryption (Not Yet Implemented)\r\nDebug and Analysis Protection\r\nTOR Support\r\nDomain Generation Algorithm (DGA)\r\nASERT found many of these features absent in the samples reviewed. All samples analyzed used hard-coded\r\ncommand and control (C2) URLs instead of DGA. There was also no evidence of TOR or user mode\r\nrootkit functionality in the binaries.\r\nAnti-Analysis Techniques\r\nhttps://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nPage 4 of 8\n\nKardon Loader uses a few anti-analysis techniques, such as attempting to get the module handle for the following\r\nDLLs:\r\navghookx.dll\r\navghooka.dll\r\nsnxhk.dll\r\nsbiedll.dll\r\ndbghelp.dll\r\napi_log.dll\r\ndir_watch.dll\r\npstorec.dll\r\nvmcheck.dll\r\nwpespy.dll\r\nIf any of the above DLL handles are returned it will exit the process. These DLLs are associated with antivirus,\r\nanalysis tools, and virtualization. Kardon Loader will also enumerate the CPUID Vendor ID value and compare it\r\nagainst the following strings:\r\nKVMKVMKVM\r\nMicrosoft Hv\r\nVMwareVMware\r\nXenVMMXenVMM\r\nprl hyperv\r\nVBoxVBoxVBox\r\nThese are known CPUID Vendor ID values associated with virtualized machines. If one of these values are\r\ndetected the malware will also exit.\r\nCommand and Control\r\nKardon Loader uses HTTP based C2 infrastructure with URL parameters that are base64 encoded. Upon\r\nexecution Kardon Loader will send HTTP POSTs to the C2 with the following fields:\r\nID = Identification Number\r\nOS = Operating System\r\nPV = User Privilege\r\nIP = Initial Payload (Full Path)\r\nCN = Computer Name\r\nUN = User Name\r\nCA = Processor Architecture\r\nAn example of the POST payload sent from Kardon Loader sample upon execution can be seen in (Figure 6):\r\n[caption id=\"attachment_9578\" align=\"aligncenter\" width=\"900\"]\r\nhttps://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nPage 5 of 8\n\nFigure 6: Kardon Loader POST Request[/caption] Once the request is made, the C2 server will provide\r\nvarying feedback which will result in either downloading and executing additional payloads, visiting a website,\r\nupgrading current payloads, or uninstalling itself. The C2 server response format for a wait command is:\r\nnotask\r\nWhile other commands including the download and execution functionality use the following format:\r\nnewtask`##`# \u003curl\u003e \r\nHashmarks represent the two-character task id and one-character task value\r\nNext, the infected host will send a confirmation message back to the C2 in the same format as the initial post\r\npayload with the following additional fields:\r\nTD = Task Identifier (Provided by command and control)\r\nOP = Task Output (1 if successful, 2 if not successful)\r\nAnalysis of various samples reveal another parameter used for uninstalling of the loader directed by the C2:\r\nUN = Uninstalled\r\nPosts from the actor on their advertisement thread suggests that C2 communication for this family will be changed\r\nto RC4 encryption in the future. Also, if the actor truly implements DGA, it may use it as a fallback mechanism\r\nfor C2.\r\nAdministration Panel\r\nhttps://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nPage 6 of 8\n\nThe panel for Kardon Loader incorporates a simple design with a dashboard of the bot distribution and install\r\nstatistics. A notable feature of this panel is the bot store functionality allowing the bot admin to generate access\r\nkeys to customers that would give them the ability to execute tasks based on the predefined parameters (Figure 8).\r\nFigure 8: Kardon Loader Store[/caption] Users can specify a URL then provide the task type and number of\r\nexecutions in order to distribute commands to bots on the network. This is shown in the actors instructional\r\nYouTube video (Figure 4). \r\nConclusion and Recommendations\r\nThis article is an overview of the downloader malware known as Kardon Loader. Kardon Loader is a fully\r\nfeatured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft\r\netc. Downloaders are a critical part of the malware ecosystem, often developed by specialists and\r\nhttps://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nPage 7 of 8\n\nsold independently of the trojan that is the objective of the campaign. Although only in public beta stage this\r\nmalware features bot store functionality allowing purchasers to open up their own botshop with this\r\nplatform. The actor started advertising this loader in late April and has communicated further development will do\r\ndone on this loader in the future, including encrypted C2 communications.\r\nAt a minimum organizations should leverage the indicators contained within this report to block malicious activity\r\nassociated with Kardon Loader. Researchers may also leverage the Yara rule below to look for additional copies\r\nof Kardon Loader to extract other IOCs for blocking malicious activity.\r\nYara Rule\r\nhttps://gist.github.com/arbor-asert/2ad9c7d715f41efc9d59ed8c425d10d3\r\nHashes\r\nfd0dfb173aff74429c6fed55608ee99a24e28f64ae600945e15bf5fce6406aee\r\nb1a1deaacec7c8ac43b3dad8888640ed77b2a4d44f661a9e52d557e7833c7a21\r\n3c64d7dbef4b7e0dd81a5076172451334fe9669800c40c895567226f7cb7cdc7\r\nCommand and Control URLs\r\nKardon[.]ddns[.]net\r\nJhuynfrkijucdxiu[.]club\r\nKreuzberg[.]ru\r\nCryptdrop[.]xyz\r\nSource: https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nhttps://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/" ], "report_names": [ "kardon-loader-looks-for-beta-testers" ], "threat_actors": [], "ts_created_at": 1775434287, "ts_updated_at": 1775791203, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eeb3ec1ce9903698763012ff83b198f2fff7871d.pdf", "text": "https://archive.orkl.eu/eeb3ec1ce9903698763012ff83b198f2fff7871d.txt", "img": "https://archive.orkl.eu/eeb3ec1ce9903698763012ff83b198f2fff7871d.jpg" } }