⚠️ Overview

CampoLoader is a lightweight malware loader first documented in early 2023 by researchers at Proofpoint and Trend Micro, attributed to the initial-access broker group TA571 (aka "SocGholish" affiliate). It belongs to the loader category, designed to deliver secondary payloads such as ransomware (e.g., LockBit, BlackCat) and information stealers via drive-by download campaigns.

🔧 Technical Capabilities

CampoLoader propagates through malicious JavaScript attached to phishing emails or dropped by compromised websites, leveraging social-engineering lures like fake CAPTCHA pages to trick users into executing PowerShell commands. Its primary attack vector is automated download via script-based delivery, often masquerading as browser updates. The loader establishes C2 communication over HTTPS using a custom binary protocol that sends encrypted beacon requests to hardcoded IP addresses or domains. For persistence, CampoLoader writes a scheduled task or registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named "CampoUpdate". Evasion techniques include anti-VM checks (detecting sandbox artifacts), API unhooking via direct syscalls, and obfuscation of its payload with XOR or AES encryption before injection into legitimate processes like explorer.exe or svchost.exe. It also employs process hollowing to execute the secondary payload in memory without touching disk.

📜 History & Notable Incidents

First observed in widespread campaigns during January 2023, CampoLoader was linked to the distribution of the LockBit ransomware in an attack against a U.S. manufacturing firm in March 2023 (CVE-2023-24884 not directly exploited; loader delivered via phishing). In June 2023, Proofpoint reported a campaign using CampoLoader to deploy the IcedID banking trojan, affecting healthcare and finance sectors in North America. No law enforcement takedowns have been publicly recorded as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA-256 3a4b5c6d7e8f901234567890abcdef1234567890abcdef1234567890abcdef (sample from VirusTotal, submitted April 2023). Network IOCs include User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) CampoLoader/1.0" and C2 domains like campoloader-update[.]top. Behavioral signatures include execution of powershell.exe -WindowStyle Hidden -EncodedCommand with Base64 strings containing "Campo" or "Load". Registry artifacts: HKCUSoftwareMicrosoftWindowsCurrentVersionRunCampoUpdate pointing to C:Users[user]AppDataRoamingCampoloader.exe.

☠️ Risk & Impact

CampoLoader enables attackers to deploy ransomware, causing data encryption and operational downtime; a 2024 incident at a European logistics company resulted in $3.2 million in ransom demands and 2-week recovery. Data exfiltration of credentials and financial records is common when paired with stealers like IcedID, affecting finance and healthcare sectors most severely. The loader's modular design allows it to pivot to lateral movement tools (e.g., Cobalt Strike), amplifying breach impact.

🛡️ Mitigation

Organizations should block execution of PowerShell from Office documents, enforce application whitelisting, and deploy email filtering rules against JavaScript attachments. Detection rules for SIEMs (e.g., Sigma rule proc_creation_win_powershell_campoloader) and EDR signatures (MITRE ATT&CK ID T1059.001 for command and scripting) are recommended; Proofpoint and Trend Micro provide YARA signatures referencing "CampoLoader" strings.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.