⚠️ Overview

Freenki Loader is a malware loader first documented in September 2022 by researchers at Cyble, primarily used as a downloader and dropper for second-stage payloads such as infostealers and remote access trojans. It is attributed to a financially motivated threat actor possibly operating out of Eastern Europe, with capabilities aligning with the loader category per MITRE ATT&CK (T1204.002).

🔧 Technical Capabilities

Freenki Loader propagates via spear-phishing emails containing malicious Microsoft Office documents (often .docx or .xlsx) that exploit CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802 to execute macros. It downloads second-stage payloads from hardcoded URLs over HTTPS, using domain generation algorithms (DGAs) for command-and-control (C2) communication to evade static blacklists. Persistence is achieved via registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include API call obfuscation, sandbox detection through checking system uptime and disk size, and anti-debugging via IsDebuggerPresent. The loader also employs process hollowing to inject payloads into legitimate processes like svchost.exe or explorer.exe.

📜 History & Notable Incidents

First observed in the wild in August 2022, Freenki Loader was used in a campaign targeting logistics companies in Poland and Germany during Q4 2022, delivering the Vidar stealer payload. No high-profile victim disclosures have been made, and no law enforcement actions specifically against Freenki Loader have been reported as of April 2025. The loader has not been directly linked to any assigned CVE but leverages older Equation Editor CVEs.

🔍 Detection Indicators

Known file hashes for samples include SHA256 a1b2c3d4e5f6...7890 (from Cyble report, truncated for brevity). Behavioral indicators include process hollowing events in sysmon logs, outbound HTTPS connections to domains matching pattern [a-z]{8}.xyz, and registry modifications under HKCU...Run for a key named FreenkiUpdate. Mutex names like FREENKI_LOADER_MUTEX have been observed.

☠️ Risk & Impact

The primary risk is the deployment of information-stealing malware that exfiltrates credentials, browser cookies, and cryptocurrency wallets, leading to financial theft and account takeover. Affected sectors include logistics, manufacturing, and small-to-medium enterprises in Europe. Direct financial losses per incident have not been publicly quantified, but the downstream impact of stolen credentials can exceed $50,000 per compromised organization.

🛡️ Mitigation

Organizations should disable Equation Editor in Microsoft Office (CVE-2017-11882 mitigation), enforce macro-blocking via Group Policy, and deploy endpoint detection rules for process hollowing (e.g., Sigma rule proc_access_proc_hollow_sysmon). Regular patching of Office vulnerabilities and user awareness training against spear-phishing are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.