{
	"id": "301e5d9d-aff4-4677-ae21-5a1d53140757",
	"created_at": "2026-04-06T00:21:17.903648Z",
	"updated_at": "2026-04-10T13:12:23.685641Z",
	"deleted_at": null,
	"sha1_hash": "ff1d8f1306fa0f95f718c52e04dd6119fbaaf010",
	"title": "sLoad Malware Revamped as Powerful ‘StarsLord’ Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98913,
	"plain_text": "sLoad Malware Revamped as Powerful ‘StarsLord’ Loader\r\nBy Lindsey O'Donnell\r\nPublished: 2020-01-22 · Archived: 2026-04-05 18:35:55 UTC\r\nThe newest version of the sLoad malware dropper comes equipped with infection tracking capabilities and an anti-analysis trick.\r\nThe sLoad malware downloader, a PowerShell-based trojan first spotted in May 2018, has a new, polished version\r\nthat comes with “more powerful features, posing even higher risk,” Microsoft researchers are warning.\r\nAfter discovering it being used in several campaigns over the holidays, researchers have dubbed the new sLoad\r\nversion “Starslord,” based on strings in the malware code. Starslord, a downloader that installs itself to the system,\r\nconnects to a remote server, and downloads additional malware onto the infected system. In this, it follows an\r\nattack chain similar to the original version. However, version 2.0 includes a new anti-analysis trick and the ability\r\nto track the stage of infection on every affected machine.\r\n“sLoad’s multi-stage attack chain…and its polymorphic nature in general make it a piece malware that can be\r\nquite tricky to detect,” Sujit Magar, with Microsoft’s Defender ATP research team, said in a Tuesday analysis.\r\n“Now, it has evolved into a new and polished version, Starlord, which retains sLoad’s most basic capabilities but\r\ndoes away with spyware capabilities in favor of new and more powerful features, posing even higher risk.”\r\nThe latest sLoad version comes on the heels of a previous Microsoft December research paper describing the\r\ndownloader’s attack techniques, suggesting that the developers behind the malware are trying to shake off any\r\nanalysis, Microsoft warned. Threatpost has reached out to Microsoft for more details regarding the victims and a\r\ntimeline of the Starslord version.\r\nsLoad Attack Chain\r\nsLoad is known for its multi-stage nature and staple, almost exclusive use of Background Intelligent Transfer\r\nService (BITS) for data exfiltration, payload fetching and command-and-control (C2) communications. BITS is a\r\nlegitimate Windows component that uses idle network bandwidth to transfers files in the background of any\r\nrunning applications.\r\nFirst spotted in May 2018, sLoad has been seen delivering a variety of payloads, including the Ramnit and  Ursnif\r\nbanking trojans, Gootkit, DarkVNC and PsiXBot, among others. Other trademarks of sLoad include its use of\r\ngeofencing, which is restricting access to content based on the user’s location, determined via the source IP\r\naddress, during all steps of the infection chain (including the download of the dropper, the PowerShell download\r\nof sLoad, sLoad’s communications with its C2 server, and when it receives a task or command).\r\nhttps://threatpost.com/sload-malware-revamped-starslord-l-features/152084/\r\nPage 1 of 3\n\nStarslord’s attack chain stays mostly the same as the original, with some small differences, researchers said. Like\r\nthe original version, Starslord first arrives via email with a ZIP attachment. These attacks have previously been\r\nlaunched via crafted emails in the targeted country’s language, and are often personalized to include recipients’\r\nnames and addresses in various parts of the email such as email body and subject.\r\nHowever, while the first version’s ZIP attachment contained a VBScript, which then ran the Powershell and\r\ndecrypted the payload into the system’s memory, Starslord instead uses a Windows Script File (WSF script, or a\r\nfile type used by the Microsoft Windows Script Host) that then downloads the PowerShell script with a .jpg\r\nextension.\r\nA BITS job is then created for the Starslord PowerShell script to perform various actions. Many of these were also\r\nperformed by the first dropper version, including gathering information about the infected Windows systems,\r\nsending all system information to the C2 server  and downloading additional payloads.\r\nHowever, while the previous version would take screenshots of the system and upload them to the C2, Starslord\r\nappears to have traded these spyware-like capabilities out for other features.\r\nNew Features\r\nOne such feature in Starslord is a tracking mechanism capability allowing it to track the stage of an infection. This\r\ntracking mechanism loops infinitely to feed the C2 the information, which researchers could be used by the\r\ndownloaders’ operators to organize various infected machines into sub-groups, and then send commands to\r\nspecific systems.\r\n“With the ability to track the stage of infection, malware operators with access to the Starslord backend could\r\nbuild a detailed view of infections across affected machines and segregate these machines into different groups,”\r\nresearchers said.\r\nStarslord also comes with a new anti-analysis trick, allowing it to trap analysts to isolate analyst machines. This\r\nbuilt-in function, called checkUniverse, stems from two files dropped onto the system (a randomly named .tmp\r\nfile and a randomly named .ps1 file).\r\nhttps://threatpost.com/sload-malware-revamped-starslord-l-features/152084/\r\nPage 2 of 3\n\n“When an analyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1\r\nfiles, the analyst could end up naming it something other than the original random name,” researchers said. “When\r\nthis dumped code is run from such differently named file on the disk, a function named checkUniverse returns the\r\nvalue 1.”\r\nIf the system does belong to an analyst, the files downloaded by the PowerShell script (in response to the\r\nexfiltration BITS job) are then discarded.\r\nsLoad continues to evolve, and Proofpoint researchers in 2018 said that only months after its discovery, there were\r\nalready several incremental changes to the malware dropper (such as a change at the zipped-LNK download step\r\n— so that the initial .LNK file was downloading sLoad directly without the additional intermediate PowerShell).\r\n“sLoad, like other downloaders we have profiled recently, fingerprints infected systems, allowing threat actors to\r\nbetter choose targets of interest for the payloads of their choice,” the Proofpoint research team said at the time. “In\r\nthis case, that final payload is generally a banking trojan via which the actors can not only steal additional data but\r\nperform man-in-the-browser attacks on infected individuals. Downloaders, though, like sLoad, Marap and others,\r\nprovide high degrees of flexibility to threat actors, whether avoiding vendor sandboxes, delivering ransomware to\r\na system that appears mission critical, or delivering a banking trojan to systems with the most likely return.”\r\nConcerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile\r\nApp Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and\r\nlegal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a\r\nsecure mobile strategy, one app at a time. Click here to register.\r\nSource: https://threatpost.com/sload-malware-revamped-starslord-l-features/152084/\r\nhttps://threatpost.com/sload-malware-revamped-starslord-l-features/152084/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/sload-malware-revamped-starslord-l-features/152084/"
	],
	"report_names": [
		"152084"
	],
	"threat_actors": [],
	"ts_created_at": 1775434877,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff1d8f1306fa0f95f718c52e04dd6119fbaaf010.pdf",
		"text": "https://archive.orkl.eu/ff1d8f1306fa0f95f718c52e04dd6119fbaaf010.txt",
		"img": "https://archive.orkl.eu/ff1d8f1306fa0f95f718c52e04dd6119fbaaf010.jpg"
	}
}