QuirkyLoader Malware
Cybersecurity researchers have uncovered a new malware loader known as QuirkyLoader, which has been actively leveraged in spam email campaigns since November 2024. Its primary role is to deliver a wide range of malicious payloads, including information stealers and remote access trojans (RATs).
Table of Contents
A Growing Arsenal of Malware
QuirkyLoader has been linked to the distribution of several high-profile malware families, including:
- Agent Tesla
- AsyncRAT
- Formbook
- Masslogger
- Remcos RAT
- Rhadamanthys Stealer
- Snake Keylogger
This broad toolkit highlights the loader’s adaptability and the threat actor’s capability to launch diverse cyberattacks.
Deceptive Delivery Through Spam Emails
Attackers are relying on both legitimate email service providers and a self-hosted email server to deliver malicious spam. Each email typically contains an archive file holding three critical components:
- A malicious DLL
- An encrypted payload
- A legitimate executable
Through DLL side-loading, the attackers exploit the fact that running the legitimate executable also triggers the malicious DLL. This DLL then decrypts and injects the final payload into its target process.
Exploiting Process Hollowing
The injection mechanism involves process hollowing, a technique where malware replaces the code of a legitimate process with its own. In QuirkyLoader’s campaigns, the favored processes for injection include:
- AddInProcess32.exe
- InstallUtil.exe
- aspnet_wp.exe
This method allows the malware to masquerade as legitimate activity, making detection far more challenging.
Targeted Attacks in Taiwan and Mexico
QuirkyLoader has so far been observed in smaller, focused campaigns. Two notable waves were recorded in July 2025:
Taiwan Campaign: Specifically targeted employees of Nusoft Taiwan, a cybersecurity and network security company. The operation aimed to deploy Snake Keylogger, designed to exfiltrate browser data, keystrokes, and clipboard contents.
Mexico Campaign: Appeared to be more indiscriminate in nature, distributing Remcos RAT and AsyncRAT without clear targeting patterns.
Technical Characteristics of the Loader
The threat actor consistently develops the DLL loader module using .NET languages. To increase resilience and obfuscation, the loader is compiled using ahead-of-time (AOT) compilation, producing binaries that resemble those created in C or C++. This makes the malware more difficult for defenders to analyze and detect.
Final Thoughts
QuirkyLoader is a clear example of how cybercriminals continue to refine their delivery methods to maximize stealth and efficiency. By combining DLL side-loading, process hollowing, and targeted phishing strategies, attackers are not only bypassing defenses but also tailoring their campaigns to maximize impact. Organizations should remain vigilant against suspicious email attachments and implement layered security defenses to reduce exposure to such threats.
