⚠️ Overview

PUBLOAD is a modular backdoor trojan first documented by Broadcom Symantec in October 2022. It is attributed to the threat group tracked as TA569 (also linked to the Dridex botnet) and is used primarily as a loader to deliver second-stage payloads, including ransomware variants like LockBit and ALPHV/BlackCat. PUBLOAD falls under the categories of Remote Access Trojan (RAT) and Malware Loader.

🔧 Technical Capabilities

PUBLOAD employs DLL side-loading through a legitimate Microsoft signed binary to achieve execution, often named MsiExplorer.exe or capa.exe. It establishes persistence by creating a scheduled task or modifying the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware communicates with its command-and-control (C2) infrastructure via HTTPS POST requests, frequently using plaintext JSON for data exfiltration and receiving encrypted payloads. It includes anti-analysis capabilities such as process hollowing into svchost.exe and checking for sandbox artifacts like specific usernames or MAC addresses. PUBLOAD can perform reconnaissance, download additional modules, and execute arbitrary shellcode.

📜 History & Notable Incidents

PUBLOAD was first observed in October 2022 during campaigns targeting the healthcare and manufacturing sectors in North America. A notable incident involved the compromise of a U.S. hospital network in February 2023, where PUBLOAD was used to deploy LockBit ransomware, causing operational disruptions and patient data exposure. No specific CVEs are directly attributed; however, the malware often exploits initial access obtained through phishing emails delivering Excel documents with malicious macros (CVE-2017-11882 leveraged in some campaigns).

🔍 Detection Indicators

Behavioral indicators include the parent process MsiExplorer.exe spawning powershell.exe or rundll32.exe with unusual command-line arguments. Network IOCs involve outbound HTTPS connections to IP addresses associated with Russian bulletproof hosting providers such as 185.225.17.0/24 (as reported by Trend Micro). A known mutex name is GlobalPUBLOAD_2022_MUTEX. Registry traces include a value named WindowsUpdate under the Run key. Specific file hashes are not publicly listed, but file names observed include wwan.dll and vmtools.dll.

☠️ Risk & Impact

PUBLOAD enables extensive data exfiltration (e.g., documents, credentials) and often serves as a precursor to ransomware deployment, causing financial losses of up to several million USD per incident. The healthcare and critical manufacturing sectors are most frequently affected, leading to patient care delays and supply chain disruptions. According to a CISA advisory (AA23-184A), PUBLOAD was used in attacks against U.S. critical infrastructure.

🛡️ Mitigation

Organizations should block execution of MsiExplorer.exe from non-standard directories, enforce application allowlisting, and implement endpoint detection rules for process injection into svchost.exe. The Microsoft 365 Defender team recommends enabling Attack Surface Reduction rules for the subcategory “Block Office applications from creating child processes.” Regular patching of Microsoft Office vulnerabilities (e.g., CVE-2017-11882) reduces initial infection vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.