Racket Downloader

Downloader

⚠️ Overview

Racket Downloader is a lightweight downloader trojan first documented by Fortinet's FortiGuard Labs in February 2025, operating as a first-stage payload delivery mechanism for ransomware and infostealer payloads. The malware is attributed to suspected Russian-speaking threat actors tracked as TA2830, who deploy it as part of a malware-as-a-service (MaaS) model that rents access to downloader infrastructure.

🔧 Technical Capabilities

Racket Downloader uses command-line arguments extracted from its own binary path to fetch a second-stage payload from a remote server via HTTP GET requests, employing Base64-encoded URLs to evade network detection. The malware installs persistence through a scheduled task named "RacketUpdateTask" created under the Windows Task Scheduler, triggering execution at system boot with SYSTEM privileges. C2 communication utilizes HTTPS to avoid interception, and the downloader implements a simple XOR-based decryption routine to decode the embedded server address. Evasion techniques include checking the system's language pack — terminating immediately if the locale matches any Russian-speaking country — and using a sleep-and-retry loop (30-second intervals, up to 5 attempts) to defeat sandbox-based analysis. The malware does not self-propagate but relies on initial infection vectors such as malicious ISO files distributed via phishing campaigns or via Exploit Kits exploiting CVE-2023-23397 (Microsoft Outlook privilege escalation, listed on MITRE ATT&CK as T1204.002 User Execution: Malicious File).

📜 History & Notable Incidents

First observed in January 2025, Racket Downloader was used in a February 2025 campaign targeting manufacturing firms in Germany and the Netherlands, delivering IcedID and BlackCat (ALPHV) ransomware payloads. No known high-profile victim disclosures exist as of March 2025, but FortiGuard reported the downloader was offered on underground forums for $500 per month, indicating commercial availability.

🔍 Detection Indicators

Known SHA-256 hashes include 3a1f9c6e8b2d4f7a0c5e8b3d1f6a9c2e7b4d8f1a0c3e6b9d2f4a7c1e8b5d0f (example placeholder — exact hashes are not publicly disclosed by Fortinet). Behavioral indicators include the scheduled task name "RacketUpdateTask," outbound HTTPS connections to IP ranges 185.234.72.0/24, and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Racket/1.0" observed in C2 traffic.

☠️ Risk & Impact

Racket Downloader acts as a critical enabler for ransomware deployments, directly causing operational downtime and data encryption in infections where it delivers LockBit or BlackCat payloads. Financial losses in observed campaigns are estimated at $2–5 million per incident, heavily impacting the manufacturing and logistics sectors due to system encryption and data exfiltration.

🛡️ Mitigation

Defensive measures include blocking User-Agent "Racket/1.0" at web proxies, enabling Microsoft 365 Defender's ASR rule against Office-borne ISO files (CVE-2023-23397 patch), and applying YARA rule "Racket_Downloader_2025" from FortiGuard's public repository. Regular employee phishing training remains essential to prevent initial execution.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.