⚠️ Overview

Starloader is a loader malware first observed in late 2022 by researchers at Zscaler ThreatLabz, primarily used to deliver second-stage payloads such as the FormBook infostealer via malicious spam campaigns. It is attributed to a financially motivated threat actor tracked as TA579 (Proofpoint) or TA558 (multiple aliases), operating as a malware-as-a-service (MaaS) distributor. The malware is classified as a downloader/loader in the MITRE ATT&CK framework under techniques T1204.002 (User Execution: Malicious File) and T1105 (Ingress Tool Transfer).

🔧 Technical Capabilities

Starloader propagates via spear-phishing emails containing weaponized Microsoft Office documents or ZIP archives with embedded VBA macros (T1566.001). Execution chains involve downloading an intermediary DLL (often named "Starloader") that performs DLL side-loading (T1574.002) against legitimate Windows executables like MSBuild.exe or Regsvr32.exe. The payload establishes C2 communication over HTTPS using HTTP POST requests with JSON-encoded data (T1071.001); C2 domains are often generated via a DGA algorithm or hardcoded. Persistence is achieved through scheduled tasks (T1053.005) or registry Run keys (T1547.001). Evasion techniques include obfuscation of the VBA macro, anti-sandbox checks via sleep calls (T1497.003), and use of legitimate code-signing certificates stolen from small vendors.

📜 History & Notable Incidents

The first documented campaign featuring Starloader was reported in December 2022 by Zscaler, targeting logistics and manufacturing firms in the U.S. and Europe. In March 2023, Proofpoint linked a wave of FormBook infections to Starloader, with victims in the healthcare and financial sectors. No CVEs are directly exploited by Starloader itself, though it leverages known Office vulnerabilities such as CVE-2017-11882 (Equation Editor RCE) and CVE-2021-40444 (MSHTML remote code execution) to drop initial access. Law enforcement has not publicly taken action against the operators as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4 (sample from Zscaler, 2022) and b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8 (Proofpoint, 2023). Behavioral signatures include execution of msbuild.exe spawning regsvr32.exe to load an unsolicited DLL. Network IOCs include User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" used in C2 POSTs and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunStarloader for persistence.

☠️ Risk & Impact

Starloader facilitates data exfiltration by delivering FormBook, which captures keystrokes, clipboard contents, and FTP/email credentials (T1056.001, T1005). Financial losses from associated business email compromise and credential theft have been estimated in the millions of dollars per campaign (Zscaler, 2023). Affected sectors include logistics, healthcare, manufacturing, and financial services, with small-to-medium enterprises disproportionately targeted due to weaker email security.

🛡️ Mitigation

Organizations should block macro execution from Office documents originating from external senders, deploy endpoint detection rules for DLL side-loading via msbuild.exe or regsvr32.exe, and apply patches for CVE-2017-11882 and CVE-2021-40444. Custom YARA rules for obfuscated VBA macros and network signatures for the User-Agent string are recommended (see Zscaler ThreatLabz blog, December 2022).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.