IBM X-Force Threat Analysis: QuirkyLoader - A new malware loader delivering infostealers and RATs

Since November 2024, IBM X-Force has observed a new loader, QuirkyLoader, being used to deliver additional payloads to infected systems. Some of the well-known malware families that use QuirkyLoader include:

• Agent Tesla                  
• AsyncRAT
• FormBook
• MassLogger
• Remcos 
• Rhadamanthys
• Snake Keylogger

The multi-stage infection begins with an email. The threat actor uses both legitimate email service providers and a self-hosted email server to send emails with a malicious archive attached. This archive contains three key components: a legitimate executable, an encrypted payload and a malicious DLL. The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL. This DLL, in turn, loads, decrypts and injects the final payload into its target process.

Notably, X-Force observed that the threat actor consistently writes the DLL loader module in .NET languages and uses ahead-of-time (AOT) compilation. This process compiles the code into native machine code before execution, making the resulting binary appear as though it were written in C or C++.

• Loader

The QuirkyLoader infection chain begins when a user opens a malicious archive file attached to a spam email. This archive contains a legitimate executable, an encrypted payload disguised as a DLL and a DLL loader module. In some instances, the archive includes other legitimate DLLs to hide the malicious module.

Executing the legitimate .EXE file starts the infection's subsequent stages. The executable uses DLL side-loading to load the malicious DLL. This DLL then loads, decrypts and injects the final payload into a target process. It accomplishes this by performing process hollowing on one of the following processes: AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe.

​QuirkyLoader's DLL module is consistently written in C# .NET. It is compiled using Ahead-of-Time (AOT) compilation, which compiles the C# code into Microsoft Intermediate Language (MSIL) first, and then compiles the MSIL into native machine code. This technique bypasses the traditional .NET method of first compiling code into Microsoft Intermediate Language (MSIL) and then using the Common Language Runtime (CLR) to translate it into native code. As a result, the final binary resembles a program written in C or C++.

To load the encrypted payload, the malware calls the Win32 APIs CreateFileW() and ReadFile(). It then decrypts the buffer containing the payload, typically using a block cipher.

Interestingly, one variant uses the Speck-128 cipher with Counter (CTR) mode to decrypt the payload, a method not commonly used by malware. The Speck cipher works by expanding the master key into several round keys. It uses these round keys along with a nonce to generate a keystream by performing Add-Rotate-XOR (ARX) operations. Finally, the malware XORs the generated keystream against the encrypted data in 16-byte blocks to produce the decrypted payload.

Code block 1 Key Stream Generation of Speck Cipher

To evade detection by security software, the malware dynamically resolves the Win32 APIs required for process hollowing.

First, the malware uses CreateProcessW() to launch a process in a suspended state. It then unmaps the memory of the suspended process with ZwUnmapViewOfSection() and writes its malicious payload into that memory space using ZwWriteVirtualMemory(). After performing these initializations, the malware sets the payload's starting point with SetThreadContext() and calls ResumeThread() to execute it.

While information regarding the geographical distribution of QuirkyLoader's operations has been limited for the past few months, two distinct campaigns were discovered in July 2025 targeting Taiwan and Mexico. The campaign in Taiwan specifically targeted employees of Nusoft Taiwan, a network and internet security research company, and distributed the Snake Keylogger infostealer. In Mexico, the campaign randomly targeted individuals, delivering both the Remcos RAT and AsyncRAT.

IBM X-Force uncovered additional network IOCs related to the domain used to distribute the malspam emails. The investigation started with the domain catherinereynolds[.]info, which resolves to the IP address 157[.]66[.]225[.]11 and hosts a Zimbra web client. Upon closer inspection, it was found that the domain uses an SSL certificate with the common name mail[.]catherinereynolds[.]info. Pivoting from this certificate, the IPs 103[.]75[.]77[.]90 and 161[.]248[.]178[.]212 were discovered to be using the same SSL certificate. X-Force is highly confident that these additional IPs are related because they use similar ISPs, host similar services and share the same common name in their SSL certificates.

QuirkyLoader is a new loader malware that is actively distributing well-known malware families like Agent Tesla, AsyncRAT and Remcos. The threat actor initiates a multi-stage infection using malicious emails containing an archive file. By leveraging DLL side-loading, the malware executes its core DLL module, which is consistently written in .NET and compiled ahead-of-time to disguise its nature. This module then decrypts and injects the final payload, demonstrating a sophisticated method for delivering various malware threats.

• Block messages with executable attachments
• Avoid opening unexpected emails
• Avoid opening files that come from untrusted sources
• Keep security products up-to-date and properly configured
• Since the final payloads are typically infostealers and remote access tools, actively monitor and inspect outbound network traffic
• Closely monitor the behavior of the following legitimate processes, as they are common targets for process hollowing by QuirkyLoader:

•  
  • AddInProcess32.exe
  • InstallUtil.exe
  • aspnet_wp.exe

IBM X-Force Premier Threat Intelligence is now integrated with OpenCTI, delivering actionable threat intelligence about this threat activity and more. Access insights on threat actors, malware and industry risks. Install the OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM X-Force’s expertise. Stay ahead—integrate today.