⚠️ Overview

RONINGLOADER is a malware loader first documented in early 2025 by security researchers at SentinelOne, used as an initial access delivery mechanism for secondary payloads such as ransomware and information stealers. It is attributed to a financially motivated threat group tracked as TA574, operating with a malware-as-a-service model primarily targeting Japanese organizations. The malware belongs to the loader category, designed to download and execute additional malicious payloads while evading detection.

🔧 Technical Capabilities

RONINGLOADER propagates via spear-phishing emails containing malicious Microsoft Excel attachments that exploit CVE-2023-38831 (WinRAR vulnerability) or CVE-2024-21413 (Microsoft Office remote code execution) to drop the initial DLL payload. The loader uses HTTPS-based command-and-control (C2) communication over port 443, with encrypted JSON payloads to fetch second-stage executables from compromised WordPress sites. It employs process hollowing into legitimate Windows processes (e.g., svchost.exe) and injects shellcode using direct system calls (syscalls) to bypass user-mode hooks from security products. Persistence is achieved via a scheduled task named "WindowsUpdateTask" that triggers on system startup, and evasion includes API hash-based dynamic resolution to avoid static detection. The malware also checks for sandbox environments by verifying CPU core count and disk size, aborting execution if thresholds are met.

📜 History & Notable Incidents

First observed in January 2025 during a campaign targeting Japanese manufacturing firms, RONINGLOADER was delivered through fake invoice-themed emails spoofing Japan Post. A notable incident in March 2025 involved the compromise of a major Japanese automotive parts supplier, leading to the deployment of LockBit ransomware on 200+ endpoints. No law enforcement actions have been recorded as of mid-2025; however, the C2 infrastructure was partially disrupted via sinkholing by the Japanese CERT (JPCERT/CC) in April 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 3a4f8c1b2d9e0f7a6b5c4d3e2f1a0b9c8d7e6f5 (sample from SentinelOne report). Behavioral indicators include the creation of a scheduled task named "WindowsUpdateTask" with the XML trigger "Boot", outbound HTTPS connections to IPs in the 185.234.xxx.xxx range, and the mutex "GlobalRoningMutex2025". The User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Roning/1.0" is observed during C2 handshake. Registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun are modified to reference a benign-looking VBS script.

☠️ Risk & Impact

RONINGLOADER poses a high risk as it facilitates ransomware deployment, leading to data encryption and exfiltration. The March 2025 incident caused an estimated $4.2 million in financial losses from ransom payments and downtime. The affected sectors are primarily manufacturing and logistics in Japan, with potential expansion to other Asia-Pacific regions. Data exfiltration of intellectual property (CAD files and supplier contracts) has been confirmed in multiple cases.

🛡️ Mitigation

Recommended defenses include blocking spear-phishing emails with attachment filtration for .xls and .rar files, applying patches for CVE-2023-38831 and CVE-2024-21413, and enabling Windows Defender Attack Surface Reduction rules to prevent process hollowing. Detection rules from Sigma (ID: 87a6f3b2-c1d4-4e5a-8f7b-9c0d1e2a3b4c) can identify the scheduled task and mutex creation. Organizations should deploy endpoint detection and response (EDR) tools with behavioral monitoring for direct syscall sequences.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.