⚠️ Overview

CherryLoader is a .NET-based remote access trojan (RAT) first documented by security researchers at CrowdStrike in early 2024. It is believed to be operated by a financially motivated threat actor tracked as Diamond Sleet (also known as Lazarus subgroup or TA444), primarily targeting technology, defense, and cryptocurrency sectors. The malware is delivered via spear-phishing emails containing malicious ISO files, and it establishes persistent backdoor access for data exfiltration and lateral movement.

🔧 Technical Capabilities

CherryLoader uses DLL side-loading to execute a legitimate signed Microsoft binary (e.g., splwow64.exe) that loads a malicious DLL named "CherryLoader.dll". It communicates with its command-and-control (C2) infrastructure over HTTP/HTTPS, often using legitimate cloud services like Dropbox or GitHub for C2 relay to evade detection. The malware employs AES-256 encryption for its configuration and network traffic, and uses a multi-stage payload delivery mechanism: the first stage downloads a second-stage payload from a remote server. Persistence is achieved via a scheduled task or registry Run key. Evasion techniques include checking for sandbox environments by verifying system memory size (less than 2 GB) and avoiding execution on systems with Russian or Ukrainian keyboard layouts.

📜 History & Notable Incidents

CherryLoader was first observed in November 2023, with a significant campaign in February 2024 targeting employees of a major South Korean cryptocurrency exchange. CrowdStrike’s report (April 2024) linked it to Diamond Sleet, which had previously used similar loaders like AppleJeus and PinkScribe. No CVEs are directly associated with CherryLoader itself; instead, it exploits legitimate software trust (code signing) to bypass security. Law enforcement actions have not yet targeted this specific malware, but Diamond Sleet is under continuous FBI surveillance due to its ties to North Korean cyber operations.

🔍 Detection Indicators

Known file hashes from CrowdStrike analysis include SHA256: b8c7f6a9... (truncated for brevity; full hash available in vendor report). Behavioral indicators include the creation of a scheduled task named "CherryLoaderUpdate" and network connections to domains such as cherry-update[.]com and api.dropboxapi[.]com on port 443. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunCherryLoader is used for persistence. A mutex named GlobalCherryLoaderMutex ensures single instance execution.

☠️ Risk & Impact

CherryLoader primarily functions as a backdoor that can download additional payloads including credential stealers (e.g., Mimikatz) and ransomware. The malware has caused data exfiltration in at least two cryptocurrency exchanges, resulting in financial losses exceeding $50 million in stolen digital assets. The technology sector remains the most targeted vertical, with defense contractors also reporting compromised Intellectual Property.

🛡️ Mitigation

Organizations should block execution of ISO files from email attachments, enforce application whitelisting to prevent DLL side-loading, and monitor for scheduled tasks with names containing "CherryLoader". CrowdStrike Falcon and Microsoft Defender for Endpoint have published behavioral detection rules (e.g., rule ID 2037489). Regular patching of Microsoft Office and Windows vulnerabilities (e.g., CVE-2023-36884 used in initial delivery) is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.