Loader 

3.4.23  DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.  MALWARE Loader
31.03.2026 DeepLoad DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion  MALWARE LOADER
24.03.2026 StoatWaffle StoatWaffle, malware used by WaterPlum MALWARE LOADER
06.03.2026 BadPaw and MeowMeow Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow MALWAREs LOADER
17.02.2026 SmartLoader SmartLoader Clones Oura Ring MCP to Deploy Supply Chain Attack MALWARE LOADER
15.02.2026 CastleLoader  GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries MALWARE LOADER
02.02.2026 GlassWorm Loader GlassWorm Loader Hits Open VSX via Developer Account Compromise MALWARE LOADER
17.01.2026 Gootloader’s Planned failure: Gootloader’s malformed ZIP actually works perfectly MALWARE LOADER
20.12.2025 GachiLoader The YouTube Ghost Network is a malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers. MALWARE LOADER
20.12.2025 CountLoader From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader MALWARE LOADER
10.12.2025 CastleLoader GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries MALWARE LOADER
17.11.2025 RONINGLOADER RONINGLOADER: DragonBreath’s New Path to PPL Abuse MALWARE Loader
12.11.2025 Gootloader Gootloader Returns: What Goodies Did They Bring? MALWARE Loader
11.11.2025 Comebacker Lazarus Group targets Aerospace and Defense with new Comebacker variant MALWARE Loader
09.11.2025 Line Dancer In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices MALWARE Loader
09.11.2025 Line Runner Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. MALWARE Loader
08.11.2025 XLoader 8.0 Cracking XLoader with AI: How Generative Models Accelerate Malware Analysis MALWARE Loader
01.11.2025 HijackLoader The SonicWall Capture Labs threat research team has recently been monitoring new variants of the HijackLoader malware that are being delivered through SVG files. MALWARE Loader
18.10.2025 PhantomVAI Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain.   MALWARE Loader
26.09.2025 Line Runn Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. MALWARE Loader
26.09.2025 Line Danc In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices. MALWARE Loader
20.09.2025 CountLoader Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” MALWARE LOADER
29.08.2025 Xiangoop Pirates of The Nang Hai: Follow the Artifacts No One Know MALWARE Loader
25.07.2025 CastleLoader Understanding Current CastleLoader Campaigns MALWARE Loader
19.07.2025 MDifyLoader Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities MALWARE LOADER
18.07.2025 Emmenhtal MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities MALWARE Loader
02.07.2025 TransferLoader Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025.  MALWARE LOADER
27.05.2025 Winos 4.0 NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign MALWARE Loader
18.05.2025 Skitnet Skitnet is a multi-stage malware that uses Rust and Nim to execute a stealthy reverse shell over DNS, leveraging encryption, manual mapping, and dynamic API resolution to evade detection MALWARE Loader
06.05.2025 TerraStealerV2 and TerraLogger TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered MALWARE Loader
02.05.2025 MintsLoader  Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting MALWARE Loader
02.04.2025 HijackLoader Analyzing New HijackLoader Evasion Tactics MALWARE Loader
01.04.2025 MSC EvilTwin loader The MSC EvilTwin loader represents a novel approach (CVE-2025-26633) to malware deployment by leveraging specially crafted Microsoft Saved Console (.msc) files. MALWARE Loader
28.03.2025 CoffeeLoader CoffeeLoader: A Brew of Stealthy Techniques MALWARE Loader
08.03.2025 Zloader 2.9.4.0 Inside Zloader’s Latest Trick: DNS Tunneling MALWARE Loader
08.03.2025 Ragnar Loader (a.k.a Sardonic Backdoor) is a sophisticated toolkit of the Monstrous Mantis  MALWARE Loader
04.03.2025 Havoc Havoc: SharePoint with Microsoft Graph API turns into FUD C2 MALWARE Loader
20.02.2025 XLoader XLoader Executed Through JAR Signing Tool (jarsigner.exe) MALWARE Loader
27.01.2025 MintsLoader: StealC MintsLoader: StealC and BOINC Delivery MALWARE Loader
14.12.2024 NodeLoader  NodeLoader Exposed: The Node.js Malware Evading Detection MALWARE LOADER
06.12.2024 Venom  Unveiling RevC2 and Venom Loader MALWARE LOADER
02.12.2024 SmokeLoader SmokeLoader Attack Targets Companies in Taiwan MALWARE LOADER
28.11.2024 Gaming  Gaming Engines: An Undetected Playground for Malware Loaders MALWARE LOADER
19.11.2024 BabbleLoader Babble Babble Babble Babble Babble Babble BabbleLoader MALWARE LOADER
18.11.2024 Dolphin  The Abuse of ITarian RMM by Dolphin Loader MALWARE LOADER
11.11.2024 Gootloader  Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign MALWARE LOADER
28.10.2024 Latrodectus Analyzing Latrodectus: The New Face of Malware Loaders MALWARE LOADER
05.09.2024 WikiLoader Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant MALWARE Loader
21.08.2024 UULoader Meet UULoader: An Emerging and Evasive Malicious Installer. MALWARE Loader
02.08.2024 ModiLoader Phishing targeting Polish SMBs continues via ModiLoader MALWARE Loader
11.07.2024 DodgeBox DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1 MALWARE Loader
05.07.2024 GootLoader GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks MALWARE Loader
03.07.2024 SmokeLoader, part 2 A Brief History of SmokeLoader, Part 2 MALWARE Loader
03.07.2024 SmokeLoader, part 1 A Brief History of SmokeLoader, Part 1 MALWARE Loader
03.07.2024 FakeBat loader Exposing FakeBat loader: distribution methods and adversary infrastructure MALWARE Loader
20.06.2024 SquidLoader  LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations MALWARE Loader
18.06.2024 Hijack Loader Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion MALWARE Loader
14.06.2024 SSLoad Malware Dissecting SSLoad Malware: A Comprehensive Technical Analysis MALWARE Loader
20.05.2024 LATRODECTUS The LATRODECTUS loader evolves to deliver ICEDID and other malware  MALWARE Loader
08.05.2024 HijackLoader  HijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. MALWARE Loader
19.04.2024 Deuterbear Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear MALWARE Loader
28.03.2024 Agent Tesla Agent Tesla's New Ride: The Rise of a Novel Loader MALWARE Loader
23.03.2024 WINELOADER  APT29 Uses WINELOADER to Target German Political Parties MALWARE Loader
22.03.2024 Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. MALWARE Loader
20.03.2024 Smoke Loader Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor MALWARE Loader
17.03.2024 BunnyLoader 3.0 Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled MALWARE Loader
14.03.2024 DBatLoader Latest DBatLoader Uses Driver Module to Disable AV/EDR Software MALWARE Loader
14.03.2024 DarkGate First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, ... MALWARE Loader
02.03.2024 GUloader  GUloader Unmasked: Decrypting the Threat of Malicious SVG Files MALWARE Loader
02.03.2024 WINELOADER European diplomats targeted by SPIKEDWINE with WINELOADER MALWARE Loader
28.02.2024 MASEPIE Compromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in Europe and the Caucasus MALWARE Loader
27.02.2024 IDAT Loader Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland MALWARE Loader
17.02.2024 Bumblebee This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. MALWARE Loader
17.02.2024 DarkMe CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day MALWARE Loader
17.02.2024 PikaBot Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. MALWARE Loader
08.02.2024 HijackLoader HijackLoader Expands Techniques to Improve Defense Evasion MALWARE Loader
05.02.2024 DiceLoader This report aims to detail the functioning of a malware used by FIN7 since 2021, named DiceLoader (also known Icebot), .... MALWARE Loader
01.02.2024 KRUSTYLOADER KRUSTYLOADER - RUST MALWARE LINKED TO IVANTI CONNECTSECURE COMPROMISES MALWARE Loader
10.01.2024 PikaBot  Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. MALWARE Loader
29.12.2023 Appleseed Kimsuky Attack Group Abusing Chrome Remote Desktop MALWARE Loader
29.12.2023 HijackLoader According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.  MALWARE Loader
29.12.2023 FakeBat FakeBat, známý také jako EugenLoader, je nechvalně známý softwarový nakladač a distributor, který se dostal do popředí v oblasti kybernetických hrozeb. FakeBat je spojován s podvodnými reklamními kampaněmi nejdříve od listopadu 2022.  MALWARE Loader
29.12.2023 BATLOADER According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites.  MALWARE Loader
24.12.2023 IceXLoader IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.  MALWARE Loader
29.11.2023 Fabookie Loader Galore - TaskLoader at the start of a Pay-per-Install Infection Chain MALWARE Loader
29.11.2023 PrivateLoader According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. MALWARE Loader
25.11.2023 WailingCrab Stealthy WailingCrab Malware misuses MQTT Messaging Protocol MALWARE Loader
21.11.2023 IDAT Loader According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format.  MALWARE Loader
11.11.2023 FakeBat FakeBat (also known as EugenLoader) is a malicious software loader and dropper that has emerged as a significant player in the world of cyber threats. FakeBat has been associated with malvertising campaigns since at least November 2022.  MALWARE Loader
27.10.2023 IMAPLoader  Yellow Liderc ships its scripts and delivers IMAPLoader malware MALWARE Loader
21.10.2023 DarkGate First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation.  MALWARE Loader
16.10.2023 HijackLoader HijackLoader Targets Hotels: A Technical Analysis MALWARE Loader
16.10.2023 IDAT Loader Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers MALWARE Loader
03.10.2023 BunnyLoader  BunnyLoader, the newest Malware-as-a-Service MALWARE Loader
14.09.2023 JSSLoader Malware distributor Storm-0324 facilitates ransomware access MALWARE Loader
10.09.2023 DarkGate First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. MALWARE Loader
06.09.2023 BLISTER  Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory.  MALWARE Loader
02.09.2023 HemiGate  HemiGate is a backdoor used by Earth Estries. Like most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads.  MALWARE Loader
31.08.2023 DarkGate First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. MALWARE Loader
24.08.2023 Whiffy Recon SMOKE LOADER DROPS WHIFFY RECON WI-FI SCANNING AND GEOLOCATION MALWARE MALWARE Loader
30.07.2023 GraphicalNeutrino This loader abuses the benign service Notion for data exchange.  MALWARE Loader
22.07.2023 DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component.  MALWARE Loader
08.06.2023 Legion Loader Malware often arrives hand in hand with other malware. MALWARE Loader
25.05.2023 POORTRY According to Mandiant, POORTRY is a malware written as a driver, signed with a Microsoft Windows Hardware Compatibility Authenticode signature. MALWARE Loader
25.05.2023 WinTapix.sys Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks. MALWARE Loader
16.05.2023 PrivateLoader According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. MALWARE Loader
12.05.2023 SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. MALWARE LOADER
17.04.2023 GraphicalNeutrino This loader abuses the benign service Notion for data exchange.  MALWARE Loader