QuirkyLoader: The New A-List Malware Loader Hiding in Plain Sight
IBM X-Force specialists have reported the emergence of a new loader, QuirkyLoader, which since late 2024 has been employed to distribute a wide array of well-known malware families, including Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keylogger. The malware is propagated through email messages containing archives that include a legitimate executable, an encrypted module, and a malicious library. The attack leverages the DLL side-loading technique: when the legitimate application is launched, it loads the malicious library, which then decrypts and injects the final payload.
According to IBM X-Force observations, the malicious module is written in .NET, but compiled Ahead-of-Time (AOT), allowing it to masquerade as a C or C++ binary. For payload loading, attackers rely on the Win32 APIs CreateFileW and ReadFile, followed by decryption of the buffer. In one notable variant, an uncommon encryption method was observed: the Speck-128 block cipher in CTR mode, where the keystream is generated through a combination of addition, cyclic shifts, and XOR operations.
The final stage of execution involves process hollowing. The loader creates a process in a suspended state, frees its memory with ZwUnmapViewOfSection, writes the malicious code using ZwWriteVirtualMemory, and executes it through ResumeThread after setting the appropriate context. To evade detection, QuirkyLoader dynamically resolves API functions. Typical victim processes include AddInProcess32.exe, InstallUtil.exe, and aspnet_wp.exe.
In July 2025, two distinct campaigns were documented: in Taiwan, attacks targeted employees of Nusoft Taiwan, ultimately delivering Snake Keylogger; in Mexico, widespread infections culminated in the installation of Remcos RAT and AsyncRAT. Infrastructure analysis revealed the use of the domain catherinereynolds[.]info, linked to several IP addresses and SSL certificates, suggesting a common operational base.
QuirkyLoader stands out as a highly sophisticated loader: its use of AOT compilation, rare encryption techniques, and flexible API loading mechanisms underscores its advanced design. Recommended defenses include blocking emails containing executables, refraining from opening unexpected attachments, maintaining updated security systems, and closely monitoring outbound traffic, as the final payloads are primarily focused on data theft and establishing remote access.
