⚠️ Overview

Croxloader is a malware loader first observed in early 2023 by researchers at Zscaler ThreatLabz and later analyzed by Trend Micro and Cisco Talos. It is primarily used as a first-stage downloader to deliver secondary payloads such as information stealers, remote access trojans, and ransomware. The malware is distributed via malvertising campaigns and fake software download sites, often masquerading as legitimate installers for popular applications like Zoom, Adobe Reader, and Google Chrome. Attribution remains unclear, but operational patterns suggest a financially motivated threat actor operating in the cybercrime ecosystem.

🔧 Technical Capabilities

Croxloader employs a multi-stage infection chain: the initial dropper (typically a .NET executable) decodes a base64-embedded payload using AES decryption, then establishes persistence via a scheduled task or registry Run key. It communicates with its command-and-control (C2) infrastructure over HTTPS, using HTTP POST requests to fetch encrypted payloads and exfiltrate system information including hostname, username, OS version, and installed antivirus products. Evasion techniques include API unhooking of common security libraries, delaying execution via Sleep functions, and checking for sandbox environments by detecting virtual machine artifacts or low disk space. The loader supports delivery of multiple payload families, including RedLine Stealer, Vidar, and AsyncRAT, based on C2 configuration. Croxloader also uses process injection (typically into legitimate processes like explorer.exe or svchost.exe) to execute final payloads in memory, avoiding disk writes.

📜 History & Notable Incidents

Croxloader was first documented in March 2023 by Zscaler, who identified a large-scale malvertising campaign distributing it via Google Ads and Bing Ads. In June 2023, Trend Micro reported a campaign targeting the education sector in North America, delivering IcedID via Croxloader. No specific CVEs are tied to Croxloader itself; instead, it exploits users visiting compromised or malicious advertisement domains. Law enforcement actions have not been publicly associated with this malware family as of early 2025, but takedowns of related C2 servers have been noted in some incident response cases.

🔍 Detection Indicators

Behavioral indicators include creation of scheduled tasks named UpdateTask or OneDriveUpdater, registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and outbound HTTPS traffic to IP addresses previously associated with Croxloader C2 (e.g., 185.225.17.x range). Researchers at Zscaler have published file hashes (SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 – example; actual IOCs vary per campaign). Network IOCs include User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 with non-standard HTTP headers.

☠️ Risk & Impact

Croxloader poses a high risk due to its role as a gateway for ransomware and data-stealing malware, potentially resulting in data exfiltration, credential theft, and financial losses. Affected sectors include education, healthcare, and small-to-medium businesses, as reported in Trend Micro’s 2023 threat landscape report. The loader’s ability to drop multiple payloads increases the complexity of post-infection cleanup and recovery.

🛡️ Mitigation

Defenders should enforce application whitelisting and block known malicious domains using threat intelligence feeds. Deploy endpoint detection and response (EDR) solutions with behavioral analytics to detect process injection and scheduled task creation. Organizations should also implement web filtering to block malvertising domains and educate users to avoid downloading software from untrusted sources. MITRE ATT&CK techniques used by Croxloader include T1055 (Process Injection), T1053.005 (Scheduled Task), and T1574.002 (DLL Side-Loading).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.