Rugmi

Rugmi is a malware loader ecosystem also tracked as HijackLoader and IDAT Loader. It is described as a Malware-as-a-Service/pay-per-install loader first observed in 2023 and used to distribute multiple payloads including Aurora Stealer, Rhadamanthys Stealer, SectopRAT, DanaBot, CryptBot, Vidar Stealer, and in related reporting LummaStealer and DeerStealer. The content describes a fully decrypted Stage 4 Rugmi/HijackLoader sample delivering Aurora Stealer as the final payload.

In the analyzed chain, Rugmi uses a custom binary container and aggressive DLL sideloading with legitimate signed binaries. Embedded components include Sysinternals tcpvcon.exe used to sideload a malicious pla.dll via DLL search order hijacking, and a launcher disguised as jpegoptim.exe that causes Windows to load a local malicious d3d9.dll/Register.dll. The loader uses runtime API resolution, has components with no import table, and includes modules associated with cleanup or memory wiping. Observed behavior includes writing tcpvcon.exe and pla.dll to %APPDATA%, executing tcpvcon.exe /accepteula, writing EngineX-Aurora.exe with d3d9.dll or Register.dll to disk, and executing the launcher to trigger a second sideloading stage. Persistence and execution behaviors mentioned in the content include copying itself to %LOCALAPPDATA%\RaScope.exe, adding RaScope.exe to the Windows Startup folder, Living-off-the-Land execution via MSBuild.exe, process injection into explorer.exe, and modules identified as modUAC64 for UAC bypass and modTask64 for scheduled task creation.

The final payload in the detailed sample is assessed as Aurora Stealer, with theft of browser credentials from Chrome, Firefox, and Edge, cookie and session-token harvesting, cryptocurrency wallet theft, file exfiltration, and encrypted command-and-control communications. The command-and-control configuration was stored in a high-entropy encrypted blob and could not be statically recovered in that analysis. The sample contained the campaign identifier xy_Alt_betav1 and a PDB path exposing the username xmr. Related reporting in the content also places Rugmi in delivery chains used by LummaStealer and describes a DeerStealer affiliate operating within the Rugmi loader ecosystem.

Targeting noted in the content includes related IDAT Loader campaigns against Ukrainian organizations. Infrastructure and delivery references directly mentioned include shift-art.com and 37.140.192.197 for Rugmi MSI delivery. File and path indicators directly cited include stage_4_decrypted_payload.bin (SHA-256 c89f99602d833822c0954ac0266580919816da23b2adeb820dcf8b5639afb04a), tcpvcon.exe (SHA-256 e202f137869cce7fdea6b6cd1169f5e0b6a46cc2d89265a31f63484b0f48bb29), tinystub64.bin/Register.dll (SHA-256 729e5965e43ff458f6da901536c9a43be52a3820718e2dd5456150e2d73bb97f), EngineX-Aurora.exe/jpegotim-themed launcher (SHA-256 c52664283a0dc2c3d500b236ce2d5379802c0d74d903da6b3e133b2de6e77949), %APPDATA%, %LOCALAPPDATA%\RaScope.exe, and the malicious DLL names pla.dll, d3d9.dll, and Register.dll.