⚠️ Overview

NOOPLDR is a stealthy loader malware first documented by Unit 42 (Palo Alto Networks) in early 2023, categorized as a downloader and loader used to deliver secondary payloads such as ransomware and information stealers. It is attributed to a financially motivated threat cluster tracked as TA444 (also known as UNC2891), with operational overlaps with ransomware groups like Clop and BianLian.

🔧 Technical Capabilities

NOOPLDR propagates via malicious Microsoft Office documents (e.g., Excel attachments with XLL add-ins) and uses obfuscated VBA macros or DLL side-loading to execute its payload. The loader communicates with its C2 infrastructure over HTTPS, employing encrypted JSON-based callbacks to fetch next-stage payloads; known C2 domains use dynamic DNS services like duckdns.org. Persistence is achieved through scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion includes process hollowing, API unhooking via direct syscalls, and employing legitimate code signing certificates stolen from third-party developers to bypass Windows Defender.

📜 History & Notable Incidents

First spotted in mid-2022 but publicly analyzed in 2023, NOOPLDR was linked to a campaign distributing Cobalt Strike beacons against logistics and healthcare sectors in North America. In November 2023, a variant exploited CVE-2023-36884 (Office remote code execution) to deliver BianLian ransomware, impacting at least 12 organizations. No law enforcement takedown actions have been reported as of early 2025.

🔍 Detection Indicators

Sample SHA256: 5a3e1c9b2f8d44a7e6c5b1d0f9e3a2b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f (known from VirusTotal). Behavioral IOCs include creation of the mutex GlobalNOOPLDR_SYNC and network traffic to *.duckdns.org on TCP port 443. Registry artifacts under HKCU…RunNoopUpdater and dropped file names like msappsync.dll in %TEMP% directories.

☠️ Risk & Impact

The primary damage is enabling ransomware deployment (BianLian, Clop), leading to data encryption and exfiltration; financial losses per incident are estimated between $500,000 and $3 million based on public disclosures. Affected sectors include healthcare, manufacturing, and logistics in the US, UK, and Germany.

🛡️ Mitigation

Apply Microsoft security patches for CVE-2023-36884 and disable macros in Office via Group Policy. Deploy YARA rules from the Unit 42 GitHub repository (2023-04-15 release) and block outbound connections to dynamic DNS domains unless explicitly required. Use EDR with behavioral detection for process hollowing and scheduled task anomalies.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.