Just three malware loaders used in 80% of attacks

Three malware loaders, QakBot, SocGholish, and Raspberry Robin, wreak havoc in 80% of incidents, according to the threat researchers of IT security firm ReliaQuest.

Malware loaders are used as a vehicle to deliver and execute other forms of malware, such as ransomware, viruses, trojans, or worms. They’re one of the most common tools for attackers to drop payloads in the initial cyber-attack stage.

ReliaQuest researchers observed the most common variants in consumer environments and uncovered that just three malware loaders accounted for the lion's share of incidents since the start of the year.

Malware loaders are tricky for cybersecurity teams, as mitigation for one loader may not work for another, even if the loaded malware is the same.

“Just because a malware loader was detected, it doesn’t mean the targeted network was compromised; in the majority of cases we observed, the malware loader was detected and stopped early in the kill chain. But it’s crucial to not look away from the car-crash threat of any loader, especially the three most popular,” researchers write.

But what do we know about the primary offenders QakBot (QBot, QuackBot, Pinkslipbot), SocGholish, and Raspberry Robin?


Based on recent trends, it’s highly likely that these loaders will continue to pose a threat to organizations.

QakBot is quick to change

Associated with the Black Basta ransomware group, QakBot was designed as a banking trojan, then upgraded with new capabilities to become a versatile and common malware.

Used for permitting initial access to targeted networks, QakBot also delivers remote-access payloads, steals sensitive data, and helps lateral movement and remote code execution.

Usually, QakBot is delivered via a phishing email that offers the recipient tailored lures, such as work orders, urgent requests, invoices, file attachments, or hyperlinks. The payload is downloaded as a PDF, HTML, or OneNote file.

“QakBot then uses WSF, JavaScript, Batch, HTA, or LNK files that, when executed, typically establish persistence via scheduled task or registry run keys,” researchers explain.

QakBot operators are resourceful and quick to respond or change their delivery tactics. This malware is an evolving and persistent threat used to opportunistically target any industry or region.

With SocGholish, one user can affect the whole system

SocGholish, also known as FakeUpdates, masquerades as legitimate software updates. This JavaScript malware loader targets Microsoft Windows-based environments and is delivered via drive-by compromise (downloaded without user interaction).

“Visitors to a wide network of compromised websites are tricked into downloading “updates,” typically through outdated browser prompts or other update lures for Microsoft Teams and Adobe Flash,” ReliaQuest writes.

SocGholish has been linked to the financially motivated cybercrime group Evil Corp, based in Russia. Typical targets are accommodation and food services, retail trade, and legal services, primarily in the US.

SocGholish also has ties with the initial access broker Exotic Lily, which conducts highly sophisticated phishing campaigns to gain initial access and sell it to ransomware groups or other threat actors.

SocGholish operators use convincing social engineering tactics, and awareness is critical to minimizing this threat.

“Its vast malware distribution network runs on compromised websites and social engineering; just four user clicks can affect an entire domain or network of computer systems within days,” researchers warn.

Raspberry Robin is an all-rounder

Tied to various highly capable malicious groups, including Evil Corp and Silence (Whisper Spider), Raspberry Robin is a highly elusive worm-turned-loader that targets Microsoft Windows environments.

“Its exceptional propagation capabilities kick in after initial infection via malicious USB devices, when cmd.exe runs and executes a LNK file on the infected USB. The LNK file contains commands triggering native Windows processes, such as msiexec.exe, to initiate an outbound connection to download the Raspberry Robin DLL,” researchers write.

Raspberry Robin has been used to deliver multiple ransomware and other malware variants, such as “Cl0p,” “LockBit,” “TrueBot,” and “Flawed Grace,” in addition to the Cobalt Strike tool.

In 2023, Raspberry Robin operators targeted financial institutions, telecommunications, government, and manufacturing organizations.

“Raspberry Robin is a highly useful addition to a threat actor’s arsenal, helping carve out an initial network foothold and delivering multiple forms of payload,” researchers explain.

How do you defend against malware loaders?

Several steps can help minimize the threat from malware loaders. Here’s what ReliaQuest suggests:

  • Configure a GPO (Group Policy Object) to change the default execution engine of JS files from Wscript to Notepad, and any additional script files you see fit. This will prevent these files from being executed on the host.
  • Block inbound emails that have file extensions typically used for malware delivery.
  • Restrict company assets from making arbitrary connections to the internet, via firewall or proxy configurations, to minimize malware and C2 activity.
  • Limit the use of remote-access software unless absolutely required for an individual's job; alternatively, enhance monitoring to detect misuse. Cybercriminals – notably IABs and ransomware operators – love using this software to gain and maintain access to networks.
  • Disable ISO mounting, which is an increasingly solid way to bypass antivirus or endpoint detection tools.
  • Implement USB access control and GPOs to prevent autorun command executions. Consider disabling any removable media access if business conditions allow.
  • Train staff to identify social-engineering tactics employed on the web, and open up an appropriate channel for them to report suspicious emails or other activity.

More from Cybernews

Eroding online privacy will hinder security not improve it, experts warn

Dangerous new Telegram bot automates scamming with no skill required

Meta starts roll-out of E2EE for all Messenger users

Data of 300K+ Standard Insurance customers exposed in MOVEit-related NTT DATA attack

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked