{
	"id": "8f89eb86-2cd6-4c14-989c-c423989a8a9c",
	"created_at": "2026-04-06T00:13:02.230664Z",
	"updated_at": "2026-04-10T03:21:30.081478Z",
	"deleted_at": null,
	"sha1_hash": "ff62c63dabd86fabbb4d209b1343f2ff780b3616",
	"title": "sLoad launches version 2.0, Starslord | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 615551,
	"plain_text": "sLoad launches version 2.0, Starslord | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2020-01-21 · Archived: 2026-04-05 14:35:41 UTC\r\nsLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Background Intelligent\r\nTransfer Service (BITS) for malicious activities, has launched version 2.0. The new version comes on the heels of\r\na comprehensive blog we published detailing the malware’s multi-stage nature and use of BITS as alternative\r\nprotocol for data exfiltration and other behaviors.\r\nWith the new version, sLoad has added the ability to track the stage of infection on every affected machine.\r\nVersion 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual\r\ninfected machines.\r\nWe’re calling the new version “Starslord” based on strings in the malware code, which has clues indicating that\r\nthe name “sLoad” may have been derived from a popular comic book superhero.\r\nWe discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad\r\ncampaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates,\r\nincluding dropping the dynamic list of command-and-control (C2) servers and upload of screenshots.\r\nhttps://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/\r\nPage 1 of 5\n\nTracking the stage of infection\r\nWith the ability to track the stage of infection, malware operators with access to the Starslord backend could build\r\na detailed view of infections across affected machines and segregate these machines into different groups.\r\nThe tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep\r\ninterval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every\r\niteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and\r\nreceive additional payloads from the active C2 server.\r\nAs we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that\r\nincludes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to\r\ndetect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated.\r\nThe file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by\r\nan asterisk (*):\r\nValue #1 is a URL to download additional payload using a download BITS job\r\nValue #2 specifies the action, which can be any of the following, to be taken on the payload downloaded\r\nfrom the URL in value#1:\r\n“eval” – Run (possibly very large) PowerShell scripts\r\n“iex” – Load and invoke (possibly small) PowerShell code\r\nhttps://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/\r\nPage 2 of 5\n\n“run” – Download encoded PE file, decode using exe, and run the decoded executable\r\nValue #3 is an integer that can signify the stage of infection for the machine\r\nSupplying the payload URL as part of value #1 allows the malware infrastructure to house additional payloads on\r\ndifferent servers from the active C2 servers responding to the exfiltration BITS jobs.\r\nValue#3 is the most noteworthy component in this setup. If the final stage succeeds in downloading additional\r\npayload using the URL provided in value #1 and executing it as specified by the command in value #2, then a\r\nvariable is used to form the string “td”:”\u003cvalue#3\u003e”,”tds”:”3”. However, if the final stage fails to download\r\nand execute the payload, then the string formed is “td”:”\u003cvalue #3\u003e”,”tds”:”4”.\r\nThe infinite loop ensures that the exfiltration BITS jobs are created at a fixed interval. The backend infrastructure\r\ncan then pick up the pulse from each infected machine. However, unlike the previous version, Starslord includes\r\nthe said string in succeeding iterations of data exfiltration. This means that the malware infrastructure is always\r\naware of the exact stage of the infection for a specific affected machine. In addition, since the numeric value for\r\nvalue #3 in the tuple is always governed by the malware infrastructure, malware operators can compartmentalize\r\ninfected hosts and could potentially set off individual groups on unique infection paths. For example, when\r\nresponding to exfiltration BITS jobs, malware operators can specify a different URL (value #1) and action (value\r\n#2) for each numeric value for value #3 of the tuple, essentially deploying a different malware payload for\r\ndifferent groups.\r\nAnti-analysis trap\r\nStarslord comes built-in with a function named checkUniverse, which is in-fact an anti-analysis trap.\r\nhttps://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/\r\nPage 3 of 5\n\nAs mentioned in our previous blog post, the final stage of sLoad is a piece of PowerShell code obtained by\r\ndecoding one of the dropped .ini files. The PowerShell code appears in the memory as a value assigned to a\r\nvariable that is then executed using the Invoke-Expression cmdlet. Because this is a huge piece of decrypted\r\nPowerShell code that never hits the disk, security researchers would typically dump it into a file on the disk for\r\nfurther analysis.\r\nThe sLoad dropper PowerShell script drops four files:\r\na randomly named .tmp file\r\na randomly named .ps1 file\r\na ini file\r\na ini file\r\nIt then creates a scheduled task to run the .tmp file every 3 minutes, similar to the previous version. The .tmp file\r\nis a proxy that does nothing but run the .ps1 file, which decrypts the contents of main.ini into the final stage. The\r\nfinal stage then decrypts contents of domain.ini to obtain active C2 and perform other activities as documented.\r\nAs a unique anti-analysis trap, Starslord ensures that the .tmp and.ps1 files have the same random name. When an\r\nanalyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1 files, the\r\nanalyst could end up naming it something other than the original random name. When this dumped code is run\r\nfrom such differently named file on the disk, a function named checkUniverse returns the value 1, and the analyst\r\ngets trapped:\r\nWhat comes next is not very desirable for a security researcher: being profiled by the malware operator.\r\nIf the host belongs to a trapped analyst, the file downloaded from the backend in response to the exfiltration BITS\r\njob, if any, is discarded and overwritten by the following new tuple:\r\nhxxps://\u003cactive C2\u003e/doc/updx2401.jpg*eval*-1\r\nIn this case, the value #1 of the tuple is a URL that’s known to the backend for being associated with trapped\r\nhosts. BITS jobs from trapped hosts don’t always get a response. If they do, it’s a copy of the dropper PowerShell\r\nscript. This could be to create an illusion that the framework is being updated as the URL in value #1 of the tuple\r\nsuggests (hxxps://\u003cactive C2\u003e/doc/updx2401.jpg).\r\nhttps://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/\r\nPage 4 of 5\n\nHowever, the string that is included in all successive exfiltration BITS jobs from such host is\r\n“td”:”-1”,”tds”:”3”, eventually leading to all such hosts getting grouped under value “td”:”-1”. This forms the\r\ngroup of all trapped machines that are never delivered a payload. For the rest, so far, evidence suggests that it has\r\nbeen delivering the file infector Ramnit intermittently.\r\nDurable protection against evolving malware\r\nsLoad’s multi-stage attack chain, use of mutated intermediate scripts and BITS as an alternative protocol, and its\r\npolymorphic nature in general make it a piece malware that can be quite tricky to detect. Now, it has evolved into\r\na new and polished version Starlord, which retains sLoads most basic capabilities but does away with spyware\r\ncapabilities in favor of new and more powerful features, posing even higher risk.\r\nStarslord can track and group affected machines based on the stage of infection, which can allow for unique\r\ninfection paths. Interestingly, given the distinct reference to a fictional superhero, these groups can be thought of\r\nas universes in a multiverse. In fact, the malware uses a function called checkUniverse to determine if a host is an\r\nanalyst machine.\r\nMicrosoft Threat Protection defends customers from sophisticated and continuously evolving threats like sLoad\r\nusing multiple industry-leading security technologies that protect various attack surfaces. Through signal-sharing\r\nacross multiple Microsoft services, Microsoft Threat Protection delivers comprehensive protection for identities,\r\nendpoints, data, apps, and infrastructure.\r\nOn endpoints, behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat\r\nProtection (Microsoft Defender ATP) ensure durable protection against evolving threats. Through cloud-based\r\nmachine learning and data science informed by threat research, Microsoft Defender ATP can spot and stop\r\nmalicious behaviors from threats, both old and new, in real-time.\r\nSujit Magar\r\nMicrosoft Defender ATP Research Team\r\nSource: https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/\r\nhttps://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/"
	],
	"report_names": [
		"sload-launches-version-2-0-starslord"
	],
	"threat_actors": [],
	"ts_created_at": 1775434382,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff62c63dabd86fabbb4d209b1343f2ff780b3616.pdf",
		"text": "https://archive.orkl.eu/ff62c63dabd86fabbb4d209b1343f2ff780b3616.txt",
		"img": "https://archive.orkl.eu/ff62c63dabd86fabbb4d209b1343f2ff780b3616.jpg"
	}
}