QuirkyLoader

QuirkyLoader is a malware loader first reported as active since November 2024 and used in email spam campaigns to deliver a range of next-stage payloads, including Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. Reported delivery relies on malicious archive attachments containing a legitimate executable, a malicious DLL, and an encrypted payload; execution uses DLL side-loading to load the malicious code. QuirkyLoader also uses process hollowing to inject payloads into legitimate Windows processes including AddInProcess32.exe, InstallUtil.exe, and aspnet_wp.exe. The loader DLL is described as written in .NET and using ahead-of-time compilation, making it appear similar to a native C/C++ binary. Observed campaigns included activity in July 2025 targeting organizations in Taiwan and Mexico: one campaign targeted employees of Nusoft Taiwan with Snake Keylogger, while another broadly targeted victims in Mexico with Remcos RAT and AsyncRAT. A previously unobserved loader variant described as similar to QuirkyLoader was also reported in hotel-targeting phishing operations that used ClickFix-style social engineering and DLL sideloading to deploy PureRAT, with persistence via a Windows Run registry key and in-memory loading through AddInProcess32.exe. High-confidence behaviors associated with QuirkyLoader itself are email-spam-based delivery, DLL side-loading, and process hollowing for deployment of RATs, infostealers, and keyloggers.