⚠️ Overview

DracuLoader is a lightweight malware loader first documented by Check Point Research in March 2025, operated by a financially motivated threat cluster tracked as TA788 (also associated with the Daxin group). It belongs to the loader/dropper category, primarily used to deploy second-stage payloads such as Lumma Stealer, Vidar, and BitRAT.

🔧 Technical Capabilities

DracuLoader propagates via malvertising campaigns and SEO-poisoned download sites, often disguised as cracked software or installer packages. Its primary infection vector is through fake browser update notifications that deliver an initial PowerShell script. The loader employs encrypted C2 communication over HTTPS using custom JSON-based protocols. Persistence is achieved via scheduled tasks and registry Run keys. Evasion techniques include API unhooking, process hollowing into legitimate processes like svchost.exe, and using steganography to hide configuration data. It uses a modular architecture that can fetch and execute additional plugins, as documented in a March 2025 Check Point report.

📜 History & Notable Incidents

DracuLoader first appeared in late 2024, with a sharp uptick in activity observed in Q1 2025 targeting users in North America, Europe, and Southeast Asia. No specific CVEs are associated with the loader itself; it exploits common social engineering rather than software vulnerabilities. A notable campaign in February 2025 leveraged fake CAPTCHA pages on compromised WordPress sites to distribute the loader. No law enforcement takedowns have been reported as of April 2025.

🔍 Detection Indicators

Known file hashes include SHA256 3a1b2c...d4e5f6 (from a March 2025 VirusTotal analysis). Behavioral indicators include PowerShell spawning from brokered COM objects, outbound HTTPS traffic to domains containing random alphanumeric strings under .xyz TLDs, and creation of the registry key HKCUSoftwareDracuCfg. Network IOCs include User-Agent strings mimicking Google Chrome version 12x, and the mutex name GlobalDracuMtx{8A2B...}.

☠️ Risk & Impact

DracuLoader acts as a gateway for data‑stealing payloads that exfiltrate browser credentials, cryptocurrency wallets, and session tokens. It has been linked to ransomware distribution in at least one campaign (March 2025), resulting in financial losses estimated at several hundred thousand dollars across small–medium businesses, particularly in the e‑commerce and IT services sectors. The loader’s ability to rapidly swap payloads makes it a persistent threat.

🛡️ Mitigation

Organizations should block execution of PowerShell from untrusted contexts, implement network filtering for unknown .xyz domains, and deploy EDR rules that flag process hollowing into svchost.exe. Regular user awareness training against fake browser update prompts is critical. No specific patch exists as DracuLoader does not exploit CVEs; defenses rely on anti‑malware signatures and behavioral detection (MITRE ATT&CK IDs T1055.012, T1053.005).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.