Ddos 
Infection Chain | Image: IBM X-Force
IBM X-Force researchers have identified a new loader malware, dubbed QuirkyLoader, that is being used to deliver some of today’s most prevalent malware families—including Agent Tesla, AsyncRAT, FormBook, and Remcos.
The QuirkyLoader infection begins with a spam email containing a malicious archive file. As X-Force explains, “This archive contains three key components: a legitimate executable, an encrypted payload and a malicious DLL. The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL.”
Once executed, the malicious DLL decrypts and injects the final payload into a legitimate process, using process hollowing against executables like AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. This stealthy approach enables QuirkyLoader to bypass traditional defenses.
One of the most notable findings is the loader’s reliance on .NET ahead-of-time (AOT) compilation. The report highlights, “QuirkyLoader’s DLL module is consistently written in C# .NET. It is compiled using Ahead-of-Time (AOT) compilation … making the resulting binary appear as though it were written in C or C++.”
For decryption, QuirkyLoader employs uncommon cryptographic choices. In one variant, “the malware uses the Speck-128 cipher with Counter (CTR) mode to decrypt the payload, a method not commonly used by malware.” This unusual implementation demonstrates the developer’s effort to evade standard detection mechanisms.
Additionally, the malware dynamically resolves Windows APIs like CreateProcessW, ZwUnmapViewOfSection, and SetThreadContext to perform process hollowing, further complicating forensic analysis.
While QuirkyLoader’s global reach is still being studied, IBM X-Force observed two distinct campaigns in July 2025. In Taiwan, attackers specifically targeted employees of Nusoft Taiwan, a network and security research company, by deploying the Snake Keylogger. Meanwhile, in Mexico, the loader indiscriminately delivered both Remcos RAT and AsyncRAT to individuals.
The campaign was traced back to a malicious infrastructure centered around the domain catherinereynolds[.]info. IBM X-Force noted that “this domain resolves to the IP address 157[.]66[.]225[.]11 and hosts a Zimbra web client.” By pivoting off its SSL certificate, researchers identified two additional IPs—103[.]75[.]77[.]90 and 161[.]248[.]178[.]212—that share the same certificate details and hosting patterns.
The emergence of QuirkyLoader highlights how threat actors continuously refine loader malware to bypass detection. Unlike simple droppers, QuirkyLoader uses advanced techniques such as DLL side-loading, AOT compilation, and custom cryptography to deliver multiple malware families. As IBM X-Force concludes, “QuirkyLoader is a new loader malware that is actively distributing well-known malware families like Agent Tesla, AsyncRAT and Remcos.”
Related Posts:
- Android Installs Accelerated: Google’s Cloud Compilation Plan
- Warning: DLL Hijacking in Modern Malware Campaigns
- Agent Tesla Loader Evolves: New Evasive Techniques Pose Rising Threat
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
