Campo Loader (or NLoader) is a malware threat that is being leveraged in attack campaigns against Japanese entities. Campo Loader acts as an early-stage threat designed to deliver the real malware payloads on the already compromised computers. Campo Loader has been observed to drop several different payloads, depending on the specific threat actor and their particular goals. The name given to the threat was based on a path containing '/campo/' that is used during the communication with the Command-and-Control (C2, C&C) server.
After being executed, the first task of Campo Loader is to create a directory with a hard-coded name. The next step is to attempt and reach the C2 server. For that purpose, the threat sends a string 'ping' via POST and waits for incoming responses. The Openfield server returns a URL as a response but, before Campo Loader proceeds with its threatening activities, it checks if the message from the C2 servers starts with an 'h.' If it doesn't, the malware terminates the process.
Otherwise, a second 'ping' message is transmitted to the provided URL again using the POST method. This leads to a second payload being fetched by Campo Loader and saved as a file on the compromised system. The name of the file is once again hard-coded into the threat. Then rundll32.exe will be abused to call a function named 'DF' in the DLL file that was downloaded.
In earlier versions of the attack campaigns, Campo Loader was distributed in the form of a .exe file that could be downloaded and executed. It also executed the next-stage payloads such as Ursnif and Zloader directly. The more recent variations, however, tend to prefer using DLL versions while the delivered payload has shifted to DFDownloader.