New Malware Alert: ‘QuirkyLoader’ Distributing Infostealers and Remote Access Trojans (RATs)
A sophisticated new malware loader known as QuirkyLoader has emerged as a significant cybersecurity threat, actively distributing well-known infostealers and remote access trojans (RATs) since November 2024. This malware exhibits remarkable versatility in delivering multiple payload families, including Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keylogger, making it a formidable multi-purpose tool for cybercriminals. QuirkyLoader initiates its multi-stage infection through carefully crafted spam emails containing malicious archive attachments. These archives cleverly bundle three critical components: a legitimate executable file, an encrypted malicious payload disguised as a DLL, and a malicious DLL loader module. The threat actors demonstrate operational sophistication by employing both legitimate email service providers and self-hosted email servers to distribute their campaigns, ensuring infrastructure diversity and resilience against takedown efforts.
IBM analysts have identified QuirkyLoader’s distinctive attack methodology, which leverages advanced DLL side-loading techniques to execute malicious code while maintaining a veneer of legitimacy. When victims launch the seemingly benign executable file, it automatically loads the malicious DLL, which subsequently decrypts and injects the final payload into target processes through sophisticated process hollowing techniques. QuirkyLoader’s most notable technical innovation lies in its consistent use of Ahead-of-Time (AOT) compilation for its DLL loader modules. The malware authors write these components in C# .NET but compile them using advanced AOT techniques, which convert the C# code into Microsoft Intermediate Language (MSIL) before compiling directly into native machine code. This sophisticated approach complicates detection efforts and analysis procedures. QuirkyLoader employs the uncommon Speck-128 cipher with Counter (CTR) mode for payload decryption, utilising complex Add-Rotate-XOR (ARX) operations to generate secure keystreams. Recent campaigns in July 2025 specifically targeted Nusoft Taiwan employees and Mexican individuals.
Categories: Malware Distribution, Cybersecurity Threats, Infection Techniques
Tags: QuirkyLoader, Malware, Infostealers, Remote Access Trojans, DLL, AOT Compilation, Process Hollowing, Payload, Cybersecurity, Evasion