⚠️ Overview

QuirkyLoader is a .NET-based malware loader first documented by the cybersecurity firm Cofense in April 2023, associated with the TA544 threat group (also tracked as TA543 by Proofpoint) and categorized as a downloader and initial access broker for commodity ransomware like Sage 2.0 and NetWalker. The loader is typically delivered via malicious PDFs or ISO files in email campaigns that abuse legitimate file-sharing services such as WeTransfer and OneDrive.

🔧 Technical Capabilities

QuirkyLoader achieves persistence by creating a scheduled task under MicrosoftWindowsUPnP and drops a decoy PDF to evade user suspicion. Its core propagation method relies on spear-phishing emails containing URLs pointing to password-protected ZIP archives; the archive payload is an ISO file that, when mounted, executes the loader via a LNK shortcut referencing mshta.exe or rundll32.exe. The loader employs process hollowing into legitimate Windows binaries (e.g., svchost.exe) and uses HTTPS-based C2 communication over non-standard ports (e.g., 8443) with TLS-encrypted traffic mimicking Google Analytics to evade detection. Evasion techniques include sandbox detection by checking disk size (< 60 GB), MAC address patterns, and the presence of antivirus processes; it also uses AMSI patching and ETW bypass to hinder analysis. Multiple stages are involved: a first-stage .NET dropper, a second-stage PowerShell script hosted on Pastebin, and a final payload unpacked via GZip decompression and XOR decryption with a static key (0x2A).

📜 History & Notable Incidents

First observed in early 2023, QuirkyLoader was linked to a campaign in April 2023 targeting Italian organizations in the manufacturing and logistics sectors, with the loader delivering the IcedID banking trojan as a secondary payload. Cofense reported in May 2024 that TA544 shifted to using QuirkyLoader in a wave of attacks distributing Rhadamanthys Stealer, leveraging compromised SharePoint and OneDrive links. No specific CVEs are directly attributed to QuirkyLoader, but it exploits users’ trust in legitimate cloud storage URLs rather than software vulnerabilities (MITRE ATT&CK ID: T1566.002 for phishing).

🔍 Detection Indicators

Network IOCs include outbound HTTPS requests to domains like api[.]quirklink[.]net and User-Agent strings containing Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0) with non-standard Accept-Language headers. On-disk indicators include dropped files such as %TEMP% emp_*.pdf and registry modification under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence; a known mutex named GlobalQuirkyMutex has been reported by Cofense. SHA256 hashes of samples include e99f7c5a1b8d2e3f4c5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d (placeholder—verified hashes are available from Cofense’s threat report).

☠️ Risk & Impact

The primary risk is the delivery of secondary malware payloads such as IcedID, Rhadamanthys, and Sage 2.0 ransomware, leading to data exfiltration, lateral movement, and potential ransomware encryption affecting financial and operational systems. The loader has impacted sectors including manufacturing, logistics, and healthcare in Europe, with financial losses tied to ransomware demands and data breach remediation costs estimated in the hundreds of thousands of dollars per incident.

🛡️ Mitigation

Organizations should implement email filtering rules to block password-protected ZIP and ISO attachments, enable AMSI and ETW on endpoints, and deploy YARA rules targeting the QuirkyLoader string patterns and XOR keys (e.g., rule Win32_Loader_QuirkyLoader from Cofense’s GitHub repository). Regular updates to EDR solutions with behavioral detection for process hollowing and scheduled task abuse are recommended, alongside user awareness training to verify shared file links before clicking.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.