OffLoader
OffLoader is a loader/dropper malware family observed in multiple 2025-2026 distribution ecosystems, most notably as a payload in the Amadey botnet’s fbf543 pay-per-install campaign. It has been delivered as large Inno Setup installers compiled with Embarcadero Delphi/Borland, often carrying fake publisher metadata and substantial encrypted overlay data. Reported samples masqueraded as legitimate installers, including spoofed Microsoft Corporation version information and trojanized software packages such as a 7-Zip 16.02 installer. In the Amadey-linked activity, OffLoader was downloaded from 158.94.211.222 via paths such as /files/7782139129/4Qrxrgo.exe, with backend infrastructure tied to labinstalls.info on OMEGATECH hosting and Cloudflare-proxied C2 domains registered through Namecheap using two-word cheap-TLD naming patterns. Observed network paths included /connector for bot check-in, /config for campaign status, and /api/ for payload delivery.
Behavior attributed to OffLoader and its wrappers includes geofencing checks, debug-environment detection, process enumeration, execution delay via timeout.exe, and secondary payload delivery. One documented payload chain served a trojanized 7-Zip installer that requested administrator privileges, adjusted SeShutdownPrivilege, and established persistence by hijacking the legitimate 7-Zip shell extension CLSID {23170F69-40C1-278A-1000-000100020000}, registering DragDropHandlers and ContextMenuHandlers so code would execute on Windows Explorer right-click events. OffLoader has also been described as a secondary dropper delivering sunwukongs.exe in an ACRStealer-related ecosystem, and as an Inno Setup dropper delivering Vidar in a GALEON-AS cluster. Across reporting, OffLoader appeared alongside or delivered other malware families including Vidar, QuasarRAT, SalatStealer, Mirai, GCleaner, Fuery, and Amadey itself, indicating use as part of broader criminal distribution services rather than a single exclusive campaign.
High-confidence indicators mentioned in the content include the import hash ac4ded70f85ef621e5f8917b250855be linking an OffLoader sample to a Gh0stRAT fake-installer sample; an OffLoader sample SHA-256 of 2862dbcdc9546ab145d444a68b8112ce79487a93bdb7c4b45dc6649b640516ce; the Amadey delivery URL 158.94.211.222/files/7782139129/4Qrxrgo.exe; and the trojanized 7-Zip payload SHA-256 629ce3c424bd884e74aed6b7d87d8f0d75274fb87143b8d6360c5eec41d5f865. The malware has been associated with financially motivated cybercrime distribution infrastructure, including Amadey PPI operations and related multi-family malware hosting environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
MITRE ATT&CK Mapping Tactic Technique ID Implementation Privilege Escalation Access Token Manipulation T1134 SeShutdownPrivilege, CreateProcessWithToken
Stealth
4 techniques
Stealth
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Obfuscated Files: Software Packing T1027.002 Encrypted Inno Setup payload, UPX
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Match Legitimate Name T1036.005 7-Zip 16.02 installer disguise
Defense Impairment
1 technique
Defense Impairment
Discovery
2 techniques
Discovery
IOCs tracked for this family
29 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
OffLoader is a loader/dropper distributed via the Amadey fbf543 pay-per-install campaign. It uses a weaponized Inno Setup wrapper with encrypted payload sections, performs geofencing and debug-environment checks, checks in to C2 endpoints such as /connector and /config, and retrieves a payload from /api/, including a trojanized 7-Zip installer that establishes persistence through shell extension hijacking.
Loader malware linked by shared imphash, compiler, and Inno Setup framework to the Gh0stRAT sample. The content says this OffLoader variant was distributed through the Amadey botnet, suggesting shared tooling or a commercial builder ecosystem.
OffLoader is a loader family included among the payloads distributed by the Amadey PPI service.
Secondary dropper/loader used in the ACRStealer distribution ecosystem to deliver the signed binary sunwukongs.exe.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.