ybersecurity experts have recently uncovered a new malware loader, dubbed QuirkyLoader, that has been actively used in email spam campaigns since late 2024. This loader is designed to deliver a wide variety of dangerous payloads, including information stealers, remote access trojans (RATs), and keyloggers.

Among the malware families distributed through QuirkyLoader are Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger, making it a versatile tool in the cybercriminal arsenal.

How QuirkyLoader Works

According to IBM X-Force, which analyzed the malware, the attacks are carried out through spam emails originating from both legitimate email providers and self-hosted servers. These messages typically contain a malicious archive file that includes:

• A DLL file
• An encrypted payload
• A legitimate executable

The loader abuses a technique known as DLL side-loading, in which executing the legitimate file also loads the malicious DLL. This DLL then decrypts and injects the final malware payload into the targeted process.

To complete the infection, QuirkyLoader uses process hollowing, injecting the payload into one of three processes commonly present in Windows environments:

• AddInProcess32.exe
• InstallUtil.exe
• aspnet_wp.exe

Targeted Campaigns in Taiwan and Mexico

IBM reports that QuirkyLoader has been observed in limited campaigns since early 2025, with two notable ones in July 2025 targeting Taiwan and Mexico.

• Taiwan Campaign: Specifically aimed at employees of Nusoft Taiwan, a network and internet security company, with the goal of deploying Snake Keylogger, capable of stealing browser data, keystrokes, and clipboard content.
• Mexico Campaign: Considered more random in nature, delivering Remcos RAT and AsyncRAT to victims.

One interesting detail is that attackers consistently develop the DLL loader in .NET languages, compiling it with ahead-of-time (AOT) compilation. This approach converts the code into native machine code before execution, making it appear as though the binary was written in C or C++, complicating detection and analysis.

Rise of QR Code Phishing (Quishing)

Alongside QuirkyLoader, researchers are also observing the evolution of phishing techniques. A growing trend is the abuse of QR codes (quishing) within phishing campaigns. Threat actors embed malicious QR codes in emails, sometimes splitting them into multiple parts or merging them with legitimate ones to bypass security filters.

According to Barracuda researchers, malicious QR codes are effective because:

• They cannot be easily recognized by humans.
• They often bypass email filters and link scanners.
• Users typically scan them with mobile devices, moving them outside of the company’s security perimeter.

New Identity Security Threats

The findings also connect with the emergence of a phishing kit attributed to the PoisonSeed threat actor. This kit is designed to harvest credentials and 2FA codes by impersonating login pages from major services such as Google, SendGrid, and Mailchimp.

Notably, the kit uses precision-validated phishing, where attackers verify an email address in real time while presenting a fake Cloudflare Turnstile challenge. Once validated, victims are redirected to a convincing login page, enabling cybercriminals to steal credentials and abuse compromised accounts—often to conduct cryptocurrency scams.

Source: https://thehackernews.com/2025/08/hackers-using-new-quirkyloader-malware.html