DonutLoader
DonutLoader is an in-memory shellcode loader/packer used to execute PE, DLL, .NET, and script payloads entirely in memory, reducing disk artifacts and helping evade disk-based detection. The content describes it as an open-source shellcode generation/loading framework and repeatedly associates it with process injection and thread creation in target processes such as explorer.exe, Chrome, and Microsoft Edge.
Observed delivery chains on Windows include DLL sideloading and script-based droppers. In one campaign, a fake Claude AI site (claude-pro[.]com) delivered a trojanized MSI that dropped NOVupdate.exe, NOVupdate.exe.dat, and avk.dll into the Startup folder; the malicious avk.dll decrypted NOVupdate.exe.dat and executed DonutLoader, which then loaded the Beagle backdoor entirely in memory. Related variants used legitimate signed binaries such as G DATA NOVupdate.exe and Microsoft Defender MpCopyAccelerator.exe with sideloaded DLLs. In another campaign, a compromised Telnyx Python SDK deployed an executable named msbuild.exe that extracted DonutLoader from a PNG image embedded in the binary and used it to load a trojan and an AdaptixC2 beacon. Additional observed chains include heavily obfuscated JavaScript droppers abusing Windows Script Host COM objects and Microsoft Scriptrunner.exe to launch a DonutLoader stage that unpacked AgentTesla entirely in memory; batch/PowerShell phishing chains where decrypted shellcode typical of DonutLoader was injected into explorer.exe before executing XWorm; and malware that copied itself for persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run before later dropping DonutLoader.
Payloads delivered via DonutLoader in the provided content include the Beagle backdoor, AgentTesla, StealC v2, XWorm, LummaStealer, and tooling associated with AdaptixC2. Reported behaviors of these final payload chains include remote access, command execution, file transfer, credential theft, keylogging, screenshot capture, clipboard monitoring, and browser/wallet data theft, but those capabilities belong to the delivered malware rather than DonutLoader itself.
The malware is associated in the content with multiple threat clusters and campaigns rather than a single actor. It appears in campaigns linked or related to PlugX-like tradecraft, TeamPCP/UNC6780 supply-chain activity, GrayBravo logistics-themed operations, LummaStealer delivery chains, and a Sonbokli-tagged campaign where final payload attribution could not be confirmed. Targeting mentioned in the content includes software developers, shipping/logistics/maritime/procurement organizations, users searching for AI tools, and broader opportunistic victims.
High-confidence indicators and artifacts directly tied to DonutLoader usage in the content include filenames such as avk.dll, NOVupdate.exe.dat, msbuild.exe, and malicious libcurl.dll sideloaded by a legitimate WinGup executable; domains and infrastructure including claude-pro[.]com, license[.]claude-pro[.]com, 62[.]60[.]226[.]248, and files-accl[.]zohoexternal[.]com; and observed injection targets including explorer.exe, Chrome, and Microsoft Edge.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
...Velvet Tempest ... used a ClickFix lure ... to drop payloads like DonutLoader and CastleRAT.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesThe campaign appears to be spreading through malvertising, where attackers pay to place malicious links in search engine ads and sponsored results.
Threat actors may have also used SEO poisoning to further boost the site’s visibility in organic search results.
Initial Access
2 techniquesMany of the Keitaro IP addresses we saw in the AS214351 network host and distribute malware.
Stage 1: Email Delivery Victim receives spearphishing email with .JS attachment Lure themes: "Bill of Lading", "Vessel Particulars", "Urgent Inquiry For Quotation"
Execution
5 techniques62[.]60[.]226[.]248 hosted the DonutLoader malware payload... a memory‑only loader that turns PE/.NET/DLL/script into shellcode and injects them into other processes.
MITRE ATT&CK Mapping Tactic Technique ID Application Execution PowerShell T1059.001 Invoke-WebRequest + Add-Type inline C#
Stage 2: JavaScript Execution via WSH Double-click triggers WScript.exe (Windows Script Host) Script begins deobfuscation through 4-layer chain
"Velvet Tempest ... observed using a ClickFix lure, followed by hands-on-keyboard activity"
"...relies on affiliates, social engineering, fake cracked software, and fake CAPTCHA “ClickFix” lures." / "ClickFix pages trick users into pasting malicious PowerShell commands."
Persistence
1 techniquePrivilege Escalation
3 techniquesAfter unpacking the core archives, the malware moves into an advanced code injection stage.
MITRE ATT&CK Mapping Tactic Technique ID Application Execution Reflective Code Loading T1620 Donut decrypts + loads PE in-memory Defense Evasion Obfuscated Files: Embedded Payloads T1027.009 Chaskey-16 CTR encrypted Donut payloads Defense Evasion Masquerading: Legitimate Name T1036.005 Process named nsvchost.exe Defense Evasion Subvert Trust Controls T1553 Inline C# avoids pre-compiled AV detection Privilege Escalation Token Manipulation T1134.001 SeDebugPrivilege via AdjustTokenPrivileges Discovery Process Discovery T1057 CreateToolhelp32Snapshot for svchost.exe Lateral Movement Process Injection: DLL Injection T1055.001 VirtualAllocEx + WriteProcessMemory into svchost.exe
Stealth
11 techniquesOn Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection...
...extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2...
The dropped PE is not AgentTesla itself but a DonutLoader shellcode packer. DonutLoader unpacks and executes the AgentTesla binary entirely in memory, leaving no additional artifacts on disk beyond the initial dropper.
extracts DonutLoader, a shellcode loader, from a PNG image present within the binary
MITRE ATT&CK Mapping Tactic Technique ID Application Execution Reflective Code Loading T1620 Donut decrypts + loads PE in-memory Defense Evasion Obfuscated Files: Embedded Payloads T1027.009 Chaskey-16 CTR encrypted Donut payloads
Attackers set up a convincing lookalike website to distribute a dangerous installer... The fake site, hosted at claude-pro[.]com, closely mirrors the look and feel of the real Claude website, using similar fonts and color schemes.
After unpacking the core archives, the malware moves into an advanced code injection stage.
MITRE ATT&CK Mapping Tactic Technique ID Application Execution Reflective Code Loading T1620 Donut decrypts + loads PE in-memory Defense Evasion Obfuscated Files: Embedded Payloads T1027.009 Chaskey-16 CTR encrypted Donut payloads Defense Evasion Masquerading: Legitimate Name T1036.005 Process named nsvchost.exe Defense Evasion Subvert Trust Controls T1553 Inline C# avoids pre-compiled AV detection Privilege Escalation Token Manipulation T1134.001 SeDebugPrivilege via AdjustTokenPrivileges Discovery Process Discovery T1057 CreateToolhelp32Snapshot for svchost.exe Lateral Movement Process Injection: DLL Injection T1055.001 VirtualAllocEx + WriteProcessMemory into svchost.exe
The program decodes these items at runtime via a simple single-byte mathematical conversion.
After dropping the PE payload to C:\Users\Public\Libraries\ , the dropper does not execute it directly. Instead, it invokes Scriptrunner.exe -appvscript <payload_path> , abusing the legitimate Microsoft App-V Scriptrunner binary as a Living-off-the-Land Binary (LOLBin).
The loader leverages a specialized position-independent execution stub known as DonutLoader shellcode.
Command and Control
3 techniquesThe hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" ... to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
MITRE ATT&CK Mapping Tactic Technique ID Application Execution Reflective Code Loading T1620 Donut decrypts + loads PE in-memory Defense Evasion Obfuscated Files: Embedded Payloads T1027.009 Chaskey-16 CTR encrypted Donut payloads Defense Evasion Masquerading: Legitimate Name T1036.005 Process named nsvchost.exe Defense Evasion Subvert Trust Controls T1553 Inline C# avoids pre-compiled AV detection Privilege Escalation Token Manipulation T1134.001 SeDebugPrivilege via AdjustTokenPrivileges Discovery Process Discovery T1057 CreateToolhelp32Snapshot for svchost.exe Lateral Movement Process Injection: DLL Injection T1055.001 VirtualAllocEx + WriteProcessMemory into svchost.exe Collection Screen Capture T1113 GDI BitBlt screenshot Credential Access Credentials from Web Browsers T1555.003 Chrome/Edge/Brave/Opera/Vivaldi credential theft Credential Access Steal Web Session Cookie T1539 Cookie file theft from Chromium browsers Credential Access Credentials in Files T1552.001 OpenVPN auth.txt, crypto wallet files Command and Control Web Protocols T1071.001 HTTP C2 for payload delivery and exfiltration
Command and Control Ingress Tool Transfer T1105 BitsAdmin/PowerShell downloading payloads
IOCs tracked for this family
50 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A position-independent in-memory loader/shellcode used to launch the final payload directly in memory, shifting execution away from managed .NET toward a more portable, runtime-independent payload delivery model.
An open-source in-memory loader used in this campaign to deploy the Beagle backdoor entirely in memory, helping evade disk-based detection.
A first-stage shellcode loader hidden in an encrypted data file and executed in memory via DLL sideloading. It decrypts and delivers the final Beagle backdoor payload.
A shellcode loader extracted from a PNG image by a malicious msbuild.exe payload to load additional malware, including a trojan and an AdaptixC2-associated beacon.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.