HQ/EMEAFind out how we can help your business
SquidLoader is a highly skilled and evasive malware loader that targets Chinese organisations largely through phishing tactics, as discovered by cybersecurity experts. SquidLoader, which was first discovered in late April 2024, is especially challenging to identify because of its sophisticated characteristics, which allow it to elude both static and dynamic assessments.
Phishing emails that include attachments purporting to be Microsoft Word papers are one way the malware spreads. But in reality, these attachments are binaries that, when opened, launch the infection. After it is active, the malware downloads popular programs like Cobalt Strike together with second-stage shellcode payloads from a remote server.
SquidLoader malware uses advanced evasion techniques, including loading shellcode within the same process.
Security researchers claim that in order to evade detection and make analysis tasks more difficult, SquidLoader malware employs sophisticated evasion and decoy techniques. One noteworthy technique reduces the chance of detection by avoiding disk writes by loading the shellcode inside the same process as the loader.
Instead of using Windows NT APIs, SquidLoader uses a variety of defensive evasion strategies, including encrypted code segments, the insertion of extra code, Control Flow Graph (CFG) obfuscation, debugger detection, and direct syscalls. Together, these methods increase the difficulty for security measures to find it.
Cybercriminals are using loader malware, such as SquidLoader, more frequently to get around antivirus defences and inject more malicious payloads into infected systems. For example, the AgentVX trojan and the Taurus information stealer, which can spread further malware and create persistence through changes to the Windows Registry, were distributed by the Taurus Loader, which was discovered last year.
Furthermore, the PikaBot malware loader—which first surfaced in February 2023—is still being actively developed, utilising advanced anti-analysis methods. These consist of dynamic API resolution, encrypted payloads and strings, indirect syscalls, and system checks.
In a similar incident, the infrastructure hosting Latrodectus, another loader malware, was recently taken down by law enforcement authorities working as part of Operation Endgame. More than 100 botnet servers were taken down during this operation, including those connected to TrickBot, IcedID, SystemBC, PikaBot, SmokeLoader, and Bumblebee.
The majority of the approximately 5,000 victims of 10 separate operations utilising loader malware, according to researchers, are spread across the United States, the United Kingdom, the Netherlands, Poland, France, Czechia, Japan, Australia, Germany, and Canada. Strong cybersecurity defences are essential to thwarting the persistent development of loader malware such as SquidLoader and PikaBot.
