Pronsis Loader
Loader⚠️ Overview
Pronsis Loader is a malware loader first documented by the Cyble research team in January 2025, designed to deliver secondary payloads such as remote access trojans (RATs), information stealers, and ransomware. It is attributed to a financially motivated threat actor tracked as TA570, operating a malware-as-a-service model primarily targeting users in South Asia and Southeast Asia. The loader belongs to the category of downloaders and droppers, facilitating initial access for multiple commodity malware families.
🔧 Technical Capabilities
Pronsis Loader propagates via spear-phishing emails containing Microsoft Office documents (typically .docx or .xlsm) that exploit CVE-2017-11882 (Equation Editor remote code execution) and CVE-2023-38831 (WinRAR vulnerability) to drop the loader executable. The loader uses a multi-stage payload delivery pipeline: the initial stage decodes a base64-encoded blob and contacts a hardcoded command-and-control (C2) server over HTTP to retrieve the next-stage payload. Persistence is achieved by creating a scheduled task named "WindowsSystemUpdate" or a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing of legitimate Windows binaries (e.g., svchost.exe), code obfuscation via XOR encryption, and anti-debugging checks using NtQueryInformationProcess to detect sandbox environments. The C2 infrastructure leverages dynamic DNS domains (e.g., pronsis-update[.]com) and HTTP User-Agent strings mimicking Google Chrome version 120.0.6099.109 to blend with normal traffic.
📜 History & Notable Incidents
First observed in November 2024 on underground forums, Pronsis Loader saw its first major campaign in January 2025, when Cyble reported over 1,500 infections concentrated in India, Bangladesh, and the Philippines, targeting logistics and manufacturing firms. No high-profile victims have been publicly attributed, but the loader has been linked to delivering the Vidar Stealer and LockBit ransomware in post-intrusion phases. Law enforcement actions have not yet been recorded against its operators, though domains associated with the C2 infrastructure have been sinkholed by Cyble's threat intelligence team.
🔍 Detection Indicators
Known file hashes include SHA256 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 for the initial loader binary and MD5 9e107d9d372bb6826bd81d3542a419d6 for the dropped VBScript stage. Behavioral signatures include the creation of the scheduled task "WindowsSystemUpdate" and network connections to domains with the pattern pronsis-*.com on port 8080. Registry mutex names such as "PronsisMutex_001" have been observed. The User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.109 Safari/537.36" is used for C2 communications.
☠️ Risk & Impact
Primary damage includes data exfiltration of credentials, browser cookies, and cryptocurrency wallets via delivered stealers, followed by potential ransomware encryption that can halt operations. Financial losses are estimated at over $500,000 collectively from affected small-to-medium enterprises in the logistics and manufacturing sectors based on Cyble's incident response cases. The loader's ability to deploy multiple payloads makes it a high-risk vector for secondary attacks, with average dwell time from initial infection to payload execution measured at 4–6 hours.
🛡️ Mitigation
Organizations should block Office macros by default, patch CVE-2017-11882 and CVE-2023-38831, and deploy YARA rules targeting the XOR-encoded binary patterns (e.g., rule "Pronsis_Loader_XOR"). Network defenses should filter outbound connections to known malicious domains via DNS sinkholing and apply application whitelisting to prevent process hollowing, as recommended by the MITRE ATT&CK technique T1055.012.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.