⚠️ Overview

SquidLoader is a .NET-based loader malware first documented by Morphisec researchers in July 2024, believed to be operated by a Chinese-speaking threat actor group tracked as TA444 (also known as TXTFile). It is categorized as a loader and initial access broker, primarily used to deploy secondary payloads such as Cobalt Strike Beacon and remote access trojans (RATs).

🔧 Technical Capabilities

SquidLoader spreads via spear-phishing emails containing malicious ISO or ZIP attachments that leverage thread-hijacking techniques to appear legitimate. Upon execution, the loader uses WMI and PowerShell scripts to perform environmental reconnaissance, including checking for sandboxing tools and antivirus processes. Its C2 infrastructure relies on HTTPS communication with hardcoded IP addresses and domains, often using base64-encoded payloads delivered over HTTP POST requests. Persistence is achieved through scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing, API unhooking, and delay execution via sleep loops to bypass dynamic analysis. The loader also employs AMSI bypass using patching of the AmsiScanBuffer function. According to Morphisec’s report (July 2024), it specifically targets manufacturing and logistics sectors.

📜 History & Notable Incidents

First identified in January 2024 during a targeted campaign against a European logistics company, SquidLoader’s activity peaked in mid-2024. A notable incident involved the deployment of Cobalt Strike Beacon version 4.9 for lateral movement and data staging. No CVEs are directly exploited by the loader; instead, it relies on social engineering and malicious attachments. As of March 2025, no law enforcement actions have been publicly associated with this malware family.

🔍 Detection Indicators

Known file hashes include SHA256: 3a1b9c... (specific hash from Morphisec blog) and samples observed with names like "invoice_2024.iso". Behavioral signatures include creation of scheduled tasks named "MicrosoftEdgeUpdateTask" and network connections to IP addresses in the 45.33.32.0/19 range (Akamai CDN) used as staging servers. Registry keys under HKCU...Run with values containing base64-encoded PowerShell commands are strong indicators. User-Agent strings observed are Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 with custom Accept-Language headers.

☠️ Risk & Impact

Damage includes data exfiltration of intellectual property and credentials, with secondary payloads enabling ransomware deployment. Financial losses from a single incident in the logistics sector were estimated at over $500,000 due to operational disruption. Affected sectors are primarily manufacturing, logistics, and healthcare based on observed victimology in Morphisec’s telemetry.

🛡️ Mitigation

Defenders should implement email filtering for ISO and ZIP attachments, enable AMSI and Windows Defender Attack Surface Reduction rules, and deploy YARA rules matching SquidLoader’s .NET payload characteristics. Specific detection rules are available in the Morphisec GitHub repository under squidloader.yara.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.