Loader
| 3.4.23 | DBatLoader | This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. | MALWARE | Loader |
| 31.03.2026 | DeepLoad | DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion | MALWARE | LOADER |
| 24.03.2026 | StoatWaffle | StoatWaffle, malware used by WaterPlum | MALWARE | LOADER |
| 06.03.2026 | BadPaw and MeowMeow | Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow | MALWAREs | LOADER |
| 17.02.2026 | SmartLoader | SmartLoader Clones Oura Ring MCP to Deploy Supply Chain Attack | MALWARE | LOADER |
| 15.02.2026 | CastleLoader | GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries | MALWARE | LOADER |
| 02.02.2026 | GlassWorm Loader | GlassWorm Loader Hits Open VSX via Developer Account Compromise | MALWARE | LOADER |
| 17.01.2026 | Gootloader’s | Planned failure: Gootloader’s malformed ZIP actually works perfectly | MALWARE | LOADER |
| 20.12.2025 | GachiLoader | The YouTube Ghost Network is a malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers. | MALWARE | LOADER |
| 20.12.2025 | CountLoader | From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader | MALWARE | LOADER |
| 10.12.2025 | CastleLoader | GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries | MALWARE | LOADER |
| 17.11.2025 | RONINGLOADER | RONINGLOADER: DragonBreath’s New Path to PPL Abuse | MALWARE | Loader |
| 12.11.2025 | Gootloader | Gootloader Returns: What Goodies Did They Bring? | MALWARE | Loader |
| 11.11.2025 | Comebacker | Lazarus Group targets Aerospace and Defense with new Comebacker variant | MALWARE | Loader |
| 09.11.2025 | Line Dancer | In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices | MALWARE | Loader |
| 09.11.2025 | Line Runner | Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 08.11.2025 | XLoader 8.0 | Cracking XLoader with AI: How Generative Models Accelerate Malware Analysis | MALWARE | Loader |
| 01.11.2025 | HijackLoader | The SonicWall Capture Labs threat research team has recently been monitoring new variants of the HijackLoader malware that are being delivered through SVG files. | MALWARE | Loader |
| 18.10.2025 | PhantomVAI | Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. | MALWARE | Loader |
| 26.09.2025 | Line Runn | Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 26.09.2025 | Line Danc | In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 20.09.2025 | CountLoader | Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” | MALWARE | LOADER |
| 29.08.2025 | Xiangoop | Pirates of The Nang Hai: Follow the Artifacts No One Know | MALWARE | Loader |
| 25.07.2025 | CastleLoader | Understanding Current CastleLoader Campaigns | MALWARE | Loader |
| 19.07.2025 | MDifyLoader | Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities | MALWARE | LOADER |
| 18.07.2025 | Emmenhtal | MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities | MALWARE | Loader |
| 02.07.2025 | TransferLoader | Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. | MALWARE | LOADER |
| 27.05.2025 | Winos 4.0 | NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign | MALWARE | Loader |
| 18.05.2025 | Skitnet | Skitnet is a multi-stage malware that uses Rust and Nim to execute a stealthy reverse shell over DNS, leveraging encryption, manual mapping, and dynamic API resolution to evade detection | MALWARE | Loader |
| 06.05.2025 | TerraStealerV2 and TerraLogger | TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered | MALWARE | Loader |
| 02.05.2025 | MintsLoader | Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting | MALWARE | Loader |
| 02.04.2025 | HijackLoader | Analyzing New HijackLoader Evasion Tactics | MALWARE | Loader |
| 01.04.2025 | MSC EvilTwin loader | The MSC EvilTwin loader represents a novel approach (CVE-2025-26633) to malware deployment by leveraging specially crafted Microsoft Saved Console (.msc) files. | MALWARE | Loader |
| 28.03.2025 | CoffeeLoader | CoffeeLoader: A Brew of Stealthy Techniques | MALWARE | Loader |
| 08.03.2025 | Zloader 2.9.4.0 | Inside Zloader’s Latest Trick: DNS Tunneling | MALWARE | Loader |
| 08.03.2025 | Ragnar Loader | (a.k.a Sardonic Backdoor) is a sophisticated toolkit of the Monstrous Mantis | MALWARE | Loader |
| 04.03.2025 | Havoc | Havoc: SharePoint with Microsoft Graph API turns into FUD C2 | MALWARE | Loader |
| 20.02.2025 | XLoader | XLoader Executed Through JAR Signing Tool (jarsigner.exe) | MALWARE | Loader |
| 27.01.2025 | MintsLoader: StealC | MintsLoader: StealC and BOINC Delivery | MALWARE | Loader |
| 14.12.2024 | NodeLoader | NodeLoader Exposed: The Node.js Malware Evading Detection | MALWARE | LOADER |
| 06.12.2024 | Venom | Unveiling RevC2 and Venom Loader | MALWARE | LOADER |
| 02.12.2024 | SmokeLoader | SmokeLoader Attack Targets Companies in Taiwan | MALWARE | LOADER |
| 28.11.2024 | Gaming | Gaming Engines: An Undetected Playground for Malware Loaders | MALWARE | LOADER |
| 19.11.2024 | BabbleLoader | Babble Babble Babble Babble Babble Babble BabbleLoader | MALWARE | LOADER |
| 18.11.2024 | Dolphin | The Abuse of ITarian RMM by Dolphin Loader | MALWARE | LOADER |
| 11.11.2024 | Gootloader | Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign | MALWARE | LOADER |
| 28.10.2024 | Latrodectus | Analyzing Latrodectus: The New Face of Malware Loaders | MALWARE | LOADER |
| 05.09.2024 | WikiLoader | Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant | MALWARE | Loader |
| 21.08.2024 | UULoader | Meet UULoader: An Emerging and Evasive Malicious Installer. | MALWARE | Loader |
| 02.08.2024 | ModiLoader | Phishing targeting Polish SMBs continues via ModiLoader | MALWARE | Loader |
| 11.07.2024 | DodgeBox | DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1 | MALWARE | Loader |
| 05.07.2024 | GootLoader | GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks | MALWARE | Loader |
| 03.07.2024 | SmokeLoader, part 2 | A Brief History of SmokeLoader, Part 2 | MALWARE | Loader |
| 03.07.2024 | SmokeLoader, part 1 | A Brief History of SmokeLoader, Part 1 | MALWARE | Loader |
| 03.07.2024 | FakeBat loader | Exposing FakeBat loader: distribution methods and adversary infrastructure | MALWARE | Loader |
| 20.06.2024 | SquidLoader | LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations | MALWARE | Loader |
| 18.06.2024 | Hijack Loader | Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion | MALWARE | Loader |
| 14.06.2024 | SSLoad Malware | Dissecting SSLoad Malware: A Comprehensive Technical Analysis | MALWARE | Loader |
| 20.05.2024 | LATRODECTUS | The LATRODECTUS loader evolves to deliver ICEDID and other malware | MALWARE | Loader |
| 08.05.2024 | HijackLoader | HijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. | MALWARE | Loader |
| 19.04.2024 | Deuterbear | Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear | MALWARE | Loader |
| 28.03.2024 | Agent Tesla | Agent Tesla's New Ride: The Rise of a Novel Loader | MALWARE | Loader |
| 23.03.2024 | WINELOADER | APT29 Uses WINELOADER to Target German Political Parties | MALWARE | Loader |
| 22.03.2024 | Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. | MALWARE | Loader |
| 20.03.2024 | Smoke Loader | Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor | MALWARE | Loader |
| 17.03.2024 | BunnyLoader 3.0 | Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled | MALWARE | Loader |
| 14.03.2024 | DBatLoader | Latest DBatLoader Uses Driver Module to Disable AV/EDR Software | MALWARE | Loader |
| 14.03.2024 | DarkGate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, ... | MALWARE | Loader |
| 02.03.2024 | GUloader | GUloader Unmasked: Decrypting the Threat of Malicious SVG Files | MALWARE | Loader |
| 02.03.2024 | WINELOADER | European diplomats targeted by SPIKEDWINE with WINELOADER | MALWARE | Loader |
| 28.02.2024 | MASEPIE | Compromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in Europe and the Caucasus | MALWARE | Loader |
| 27.02.2024 | IDAT Loader | Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland | MALWARE | Loader |
| 17.02.2024 | Bumblebee | This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. | MALWARE | Loader |
| 17.02.2024 | DarkMe | CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day | MALWARE | Loader |
| 17.02.2024 | PikaBot | Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. | MALWARE | Loader |
| 08.02.2024 | HijackLoader | HijackLoader Expands Techniques to Improve Defense Evasion | MALWARE | Loader |
| 05.02.2024 | DiceLoader | This report aims to detail the functioning of a malware used by FIN7 since 2021, named DiceLoader (also known Icebot), .... | MALWARE | Loader |
| 01.02.2024 | KRUSTYLOADER | KRUSTYLOADER - RUST MALWARE LINKED TO IVANTI CONNECTSECURE COMPROMISES | MALWARE | Loader |
| 10.01.2024 | PikaBot | Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. | MALWARE | Loader |
| 29.12.2023 | Appleseed | Kimsuky Attack Group Abusing Chrome Remote Desktop | MALWARE | Loader |
| 29.12.2023 | HijackLoader | According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format. | MALWARE | Loader |
| 29.12.2023 | FakeBat | FakeBat, známý také jako EugenLoader, je nechvalně známý softwarový nakladač a distributor, který se dostal do popředí v oblasti kybernetických hrozeb. FakeBat je spojován s podvodnými reklamními kampaněmi nejdříve od listopadu 2022. | MALWARE | Loader |
| 29.12.2023 | BATLOADER | According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites. | MALWARE | Loader |
| 24.12.2023 | IceXLoader | IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group. | MALWARE | Loader |
| 29.11.2023 | Fabookie | Loader Galore - TaskLoader at the start of a Pay-per-Install Infection Chain | MALWARE | Loader |
| 29.11.2023 | PrivateLoader | According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. | MALWARE | Loader |
| 25.11.2023 | WailingCrab | Stealthy WailingCrab Malware misuses MQTT Messaging Protocol | MALWARE | Loader |
| 21.11.2023 | IDAT Loader | According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format. | MALWARE | Loader |
| 11.11.2023 | FakeBat | FakeBat (also known as EugenLoader) is a malicious software loader and dropper that has emerged as a significant player in the world of cyber threats. FakeBat has been associated with malvertising campaigns since at least November 2022. | MALWARE | Loader |
| 27.10.2023 | IMAPLoader | Yellow Liderc ships its scripts and delivers IMAPLoader malware | MALWARE | Loader |
| 21.10.2023 | DarkGate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. | MALWARE | Loader |
| 16.10.2023 | HijackLoader | HijackLoader Targets Hotels: A Technical Analysis | MALWARE | Loader |
| 16.10.2023 | IDAT Loader | Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | MALWARE | Loader |
| 03.10.2023 | BunnyLoader | BunnyLoader, the newest Malware-as-a-Service | MALWARE | Loader |
| 14.09.2023 | JSSLoader | Malware distributor Storm-0324 facilitates ransomware access | MALWARE | Loader |
| 10.09.2023 | DarkGate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. | MALWARE | Loader |
| 06.09.2023 | BLISTER | Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory. | MALWARE | Loader |
| 02.09.2023 | HemiGate | HemiGate is a backdoor used by Earth Estries. Like most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads. | MALWARE | Loader |
| 31.08.2023 | DarkGate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. | MALWARE | Loader |
| 24.08.2023 | Whiffy Recon | SMOKE LOADER DROPS WHIFFY RECON WI-FI SCANNING AND GEOLOCATION MALWARE | MALWARE | Loader |
| 30.07.2023 | GraphicalNeutrino | This loader abuses the benign service Notion for data exchange. | MALWARE | Loader |
| 22.07.2023 | DBatLoader | This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. | MALWARE | Loader |
| 08.06.2023 | Legion Loader | Malware often arrives hand in hand with other malware. | MALWARE | Loader |
| 25.05.2023 | POORTRY | According to Mandiant, POORTRY is a malware written as a driver, signed with a Microsoft Windows Hardware Compatibility Authenticode signature. | MALWARE | Loader |
| 25.05.2023 | WinTapix.sys | Since Iranian threat actors are known to exploit Exchange servers to deploy additional malware, it is also possible that this driver has been employed alongside Exchange attacks. | MALWARE | Loader |
| 16.05.2023 | PrivateLoader | According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. | MALWARE | Loader |
| 12.05.2023 | SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. | MALWARE | LOADER |
| 17.04.2023 | GraphicalNeutrino | This loader abuses the benign service Notion for data exchange. | MALWARE | Loader |