Ethical Hacking News
Recently discovered QuirkyLoader malware has been linked to email spam campaigns spreading Agent Tesla, AsyncRAT, and Snake Keylogger payloads. Threat actors are using advanced phishing tactics, including QR code phishing, to evade detection and maximize their impact.
The QuirkyLoader malware loader has been used in email spam campaigns to disseminate various next-stage payloads. The attackers employ process hollowing to inject the malware into legitimate processes. The QuirkyLoader has been observed in limited campaigns targeting Taiwan and Mexico, with diverse payloads including Snake Keylogger and Remcos RAT. Threat actors are using QR code phishing tactics to evade detection, including splitting malicious codes or embedding them in legitimate emails. The PoisonSeed threat actor's phishing kit impersonates login services and uses precision-validated phishing techniques to capture sensitive information. Individuals and organizations must remain vigilant against email-based threats by being cautious of unsolicited emails, avoiding suspicious links/attachments, and ensuring software/system updates.
The cybersecurity landscape has been abuzz with the recent discovery of a new malware loader called QuirkyLoader, which has been utilized in email spam campaigns to disseminate an array of next-stage payloads, including information stealers, remote access trojans, and keyloggers. This latest development serves as a stark reminder of the ever-evolving nature of cyber threats and the need for vigilance among individuals and organizations alike.
According to IBM X-Force, a team of cybersecurity researchers who have been tracking the QuirkyLoader malware, the attacks involve sending spam emails from both legitimate email service providers and self-hosted email servers. These emails feature a malicious archive, which contains a DLL (dynamic link library), an encrypted payload, and a real executable. The use of process hollowing is a technique employed by the attackers to inject the malware into one of three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.
The QuirkyLoader malware loader has been observed in limited campaigns for the past few months, with two notable campaigns observed in July 2025 targeting Taiwan and Mexico. The campaign targeting Taiwan specifically singled out employees of Nusoft Taiwan, a network and internet security research company based in New Taipei City, with the goal of infecting them with Snake Keylogger, a malware capable of stealing sensitive information from popular web browsers, keystrokes, and clipboard content.
In contrast, the Mexico-related campaign is assessed to be random, with the infection chains delivering Remcos RAT (Remote Access Trojan) and AsyncRAT. This highlights the diversity of threats that individuals and organizations face on a daily basis, as attackers continually adapt their tactics to evade detection and maximize their impact.
The development of the QuirkyLoader malware loader also comes as threat actors are increasingly utilizing new QR code phishing tactics to evade detection. These tactics include splitting malicious QR codes into two parts or embedding them within legitimate ones in email messages propagated via phishing kits like Gabagool and Tycoon, respectively. The use of malicious QR codes is a popular tactic among attackers due to their ability to bypass traditional security measures such as email filters and link scanners.
Furthermore, the emergence of a phishing kit used by the PoisonSeed threat actor has highlighted the importance of staying vigilant against spear-phishing emails. This phishing kit impersonates login services from prominent CRM and bulk email companies like Google, SendGrid, Mailchimp, and likely others, targeting individuals' credentials. The use of precision-validated phishing in this kit allows attackers to validate an email address in real-time while serving a fake Cloudflare Turnstile challenge to the user.
The PoisonSeed threat actor's tactics demonstrate a concerted effort to exploit vulnerabilities in the way that organizations interact with their users. By impersonating legitimate login services and employing advanced phishing techniques, these actors aim to capture sensitive information that can be used for malicious purposes.
In light of this latest development, it is essential for individuals and organizations to remain vigilant against email-based threats. This includes being cautious when receiving unsolicited emails, avoiding suspicious links or attachments, and ensuring that all software and systems are up-to-date with the latest security patches.
The recent discovery of the QuirkyLoader malware loader serves as a stark reminder of the ever-present threat landscape that organizations face on a daily basis. By staying informed and taking proactive steps to secure their systems and networks, individuals and organizations can significantly reduce their vulnerability to attacks like these.
Related Information:
https://www.ethicalhackingnews.com/articles/New-QuirkyLoader-Malware-Spreads-Agent-Tesla-AsyncRAT-and-Snake-Keylogger-via-Email-Spam-Campaigns-ehn.shtml
https://thehackernews.com/2025/08/hackers-using-new-quirkyloader-malware.html
Published: Thu Aug 21 08:22:21 2025 by llama3.2 3B Q4_K_M
