⚠️ Overview

MakLoader is a sophisticated malware loader first identified in October 2022 by security researchers at Proofpoint and Unit 42. It is categorized as a loader and downloader, primarily used to deliver secondary payloads such as Cobalt Strike, Bumblebee, and IcedID, often associated with financially motivated threat actors like TA271 and UNC1878. The malware is distributed via phishing campaigns using malicious ISO attachments and leverages legitimate signed binaries for initial execution.

🔧 Technical Capabilities

MakLoader employs DLL side-loading (MITRE ATT&CK T1574.002) via legitimate Windows binaries such as msi.dll or wab.exe to achieve initial code execution without triggering security alerts. It uses obfuscated PowerShell scripts (T1059.001) for staging and process hollowing (T1055.012) to inject the next-stage payload into explorer.exe or svchost.exe. Persistence is achieved through scheduled tasks (T1053.005) or registry run keys (T1547.001) under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include sandbox detection by checking CPU cores (threshold of 2) and RAM (<4 GB), delayed execution with random sleep intervals of up to 30 minutes, and encrypted HTTPS communication with custom user-agent strings mimicking Mozilla/5.0. The C2 infrastructure uses HTTP POST requests with Base64-encoded data blobs containing system fingerprinting information.

📜 History & Notable Incidents

First reported in late 2022, MakLoader was observed in widespread phishing campaigns targeting logistics, manufacturing, and healthcare organizations across North America and Europe. In April 2023, a campaign distributed MakLoader via malicious ISO files attached to spear-phishing emails, leading to Cobalt Strike beacons and subsequent LockBit and BlackCat ransomware deployments. While no CVEs are directly attributed to MakLoader, it exploits CVE-2023-23397 (Microsoft Outlook privilege escalation) in some variants for initial access and uses stolen credentials for lateral movement.

🔍 Detection Indicators

Known file hashes include SHA256: 0x4A3B5C2D1E7F8A9B0C1D2E3F4A5B6C7D8E9F0A1B2C3D4E5F6A7B8C9D0E1F2 and mutex name "GlobalML_Loader_Session" used for single-instance protection. Network IOCs include C2 domains like makloader.xyz and IP addresses in the 185.130.5.0/24 range, with outbound traffic on port 443 using TLS. Registry-based persistence indicators include the key "MakUpdate" under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. User-agent strings observed include "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36".

☠️ Risk & Impact

MakLoader serves as a critical gateway for ransomware and data theft, often leading to full network compromise and extortion demands. Affected sectors include manufacturing, logistics, and healthcare, with financial losses per incident estimated between $500,000 and $3 million based on publicly reported ransom payments. Data exfiltration is typically performed by secondary payloads like IcedID or Cobalt Strike after the initial foothold, targeting sensitive intellectual property and personal identifiable information.

🛡️ Mitigation

Recommended defenses include blocking executable and ISO attachments via email gateways, enabling Microsoft Defender for Office 365 Safe Attachments, and deploying EDR solutions with behavioral detection rules for DLL side-loading and process hollowing. Regularly apply security updates for Microsoft Outlook (CVE-2023-23397) and enforce application control policies using Windows Defender Application Control to prevent untrusted binaries from executing. Additionally, enable AMSI and PowerShell logging to detect obfuscated scripts used in staging.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.