|

QuirkyLoader Is Supercharging Email Attacks: How a New Malware Loader Spreads Agent Tesla, AsyncRAT, and Snake Keylogger

ByInnoVirtuoso

If you’ve noticed that email threats are getting harder to spot, you’re not imagining it. Attackers are leveling up—and a new malware loader called QuirkyLoader is proof. First seen in late 2024 and detailed by IBM X-Force, QuirkyLoader is being used in email spam campaigns to quietly deliver some of the most prolific info‑stealers and remote access trojans (RATs) around, including Agent Tesla, AsyncRAT, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger.

Here’s the unsettling part: the loader blends legitimate files with malicious ones, abuses trusted Windows behaviors, and then burrows into processes to run in memory. In July 2025, two campaigns targeted Taiwan and Mexico—one reportedly aimed at employees of a security company. That says a lot about the attackers’ confidence and focus.

This guide breaks down what QuirkyLoader is, how it works (in human terms), why it’s tough to catch, and what you can do today to reduce risk. We’ll also unpack fresh phishing trends—like QR code scams and a “precision-validated” phishing kit that can even trick two-factor authentication (2FA)—so you can spot the next curveball before it lands.

Let’s dig in.

What Is QuirkyLoader? A New, Modular Malware Loader

QuirkyLoader is a malware loader—software designed to get other malware onto a system. Think of it as a courier that sneaks a package past your front desk and hands it off to an accomplice already waiting inside.

According to IBM X-Force, QuirkyLoader has been active in small but persistent campaigns since late 2024. Attackers use it to deliver a rotating cast of payloads via email, including:

  • Agent Tesla (info-stealer)
  • AsyncRAT (remote access trojan)
  • Formbook (stealer)
  • Masslogger (stealer)
  • Remcos RAT (remote access trojan)
  • Rhadamanthys Stealer (stealer)
  • Snake Keylogger (keylogger/stealer)

The loader is typically sent as part of a spam or spear-phishing email that contains a malicious archive. These emails often come from legitimate email service providers or attacker-controlled servers, which helps them slip past filters.

For background on X-Force’s research, see IBM Security X-Force’s threat insights and reports: IBM X-Force.

How the QuirkyLoader Infection Chain Works (In Plain English)

The attack chain is clever, but you don’t need to be a reverse engineer to follow it. Here’s the gist:

  1. A spam email arrives with a malicious archive (for example, a ZIP or RAR).
  2. Inside the archive are three things:
    – A legitimate executable (a real, trusted program)
    – A malicious DLL
    – An encrypted malware payload
  3. When the victim runs the legitimate executable, Windows also loads the malicious DLL from the same folder—a behavior known as DLL side-loading.
  4. The malicious DLL decrypts the payload and injects it into a separate process using a technique called process hollowing.
  5. The now-infected process runs the final malware (like Agent Tesla or Snake Keylogger) with fewer red flags.

Here’s why that matters: DLL side-loading piggybacks on trust, and process hollowing hides the malware in a legitimate process. Combined, they make detection much harder.

For reference: – DLL search order hijacking (DLL side-loading) is documented in MITRE ATT&CK T1574.002. – Process hollowing is covered in MITRE ATT&CK T1055.012.

The Three Target Processes You’ll See

IBM X-Force notes that QuirkyLoader injects into one of these:

  • AddInProcess32.exe (part of the .NET add-in pipeline)
  • InstallUtil.exe (a Microsoft utility for installing .NET assemblies)
  • aspnet_wp.exe (legacy ASP.NET worker process)

Why these? They’re legitimate, signed, and often allowed in enterprise environments. If malware lives inside them, it looks less suspicious.

Helpful context: – InstallUtil is a known “living off the land” binary: LOLBAS: InstallUtil. – Add-in framework overview: .NET Add-ins and Extensibility. – Legacy ASP.NET worker process: aspnet_wp.exe (archived docs).

A .NET Loader That Looks “Native”

Investigators also observed that the loader is written in .NET but compiled ahead of time (AOT) to native machine code. Practically, that can make it look like it was written in C/C++ and can complicate detection that relies on spotting .NET metadata. It’s another layer of camouflage.

Why DLL Side-Loading Still Works

DLL side-loading is the software equivalent of a stowaway slipping aboard with a trusted crew. Windows searches for DLLs in a specific order. If an attacker places a malicious DLL with the right name next to a legitimate app, the app may load it—no exploit required.

Why defenders struggle with it: – It abuses expected behavior, not a vulnerability. – The host executable is legitimate and often signed. – The malicious DLL loads quietly and quickly hands off to memory injection.

Practical tips for defenders: – Preferably block or restrict execution from user-writable directories (Downloads, Temp). – Enable and enforce code integrity policies like Windows Defender Application Control (WDAC): WDAC overview. – Monitor for unexpected DLL loads next to known executables (filename anomalies, unsigned DLLs). – Correlate parent-child relationships: legitimate apps rarely spawn network beacons out of nowhere.

Process Hollowing, Explained Simply

Process hollowing is like a costume change. The malware starts a legitimate process in a suspended state, carves out its insides, and swaps in its own code. When the process resumes, it looks normal from the outside but runs malicious logic.

Defensive indicators: – Suspended process creation followed by rapid memory allocation and “RWX” permissions. – Anomalous API call patterns typical of injection (e.g., memory writes across processes). – Legitimate system utilities making unexpected outbound network connections.

You don’t need to capture every API call to spot trouble. Baselines, heuristics, and EDR telemetry go a long way. For depth, see MITRE’s Process Injection family of techniques.

Confirmed Campaigns: Taiwan and Mexico

IBM X-Force observed two notable campaigns in July 2025:

  • Taiwan: The campaign reportedly targeted employees of Nusoft Taiwan, a network and internet security research company. The payload of choice was Snake Keylogger—aimed at stealing browser credentials, keystrokes, and clipboard content. Aiming at security staff suggests either confidence or a desire to steal high-value credentials.
  • Mexico: The campaign looked more random in targeting, with infection chains delivering Remcos RAT and AsyncRAT. These tools provide attackers with remote control, data exfiltration, and persistence.

Target geography can shift quickly with loaders like this. Today it’s Taiwan and Mexico; tomorrow it may be your region or industry.

The Payloads Riding on QuirkyLoader

Understanding the common payloads helps you prioritize detections:

  • Agent Tesla: A long-standing stealer that targets credentials from browsers and email/FTP clients. It’s widely resold, frequently updated, and common in malspam campaigns.
  • AsyncRAT: A flexible open-source RAT that supports remote desktop, keystroke logging, and file operations.
  • Remcos RAT: Commercially available tool often abused for full system control and surveillance.
  • Snake Keylogger: Focuses on capturing keystrokes and clipboard data, along with browser credentials.
  • Formbook/Masslogger/Rhadamanthys: Info-stealers with strong data-harvesting and exfiltration features.

For general overviews and defensive guidance: – CISA Stop Ransomware has practical mitigation frameworks that also apply to stealers and RATs. – MITRE ATT&CK maps behaviors common to these families.

Why QuirkyLoader Is Tricky to Detect

Let me explain why defenders feel this in their telemetry—but struggle to pin it down:

  • It arrives via trusted channels: Emails sent from legitimate ESPs can sail past filters.
  • It abuses trusted binaries: Legitimate executables and Windows utilities lend cover.
  • It runs in memory: Process hollowing avoids writing obvious executables to disk.
  • It blends .NET and native traits: AOT compilation muddies language-based detection.
  • It keeps volume low: Limited, geo-focused campaigns help it stay under the radar.

Here’s why that matters: Traditional detection focused on known bad hashes or obvious dropper behavior won’t cut it. You need behavior-based detections, strict application control in risky paths, and better email hygiene.

New Phishing Tactics: QR Codes and “Precision-Validated” Phishing Kits

QuirkyLoader isn’t the only curveball. Attackers are rethinking delivery and lures:

QR Code Phishing (Quishing) Evolves

Threat actors are splitting malicious QR codes into two parts or embedding them within legitimate QR images to evade scanners. Because humans can’t “read” QR codes, they don’t raise the same immediate red flags as suspicious links. And when users scan with their phone, they often leave the company’s security perimeter.

Why attackers like QR codes: – They can bypass traditional email filters and link scanning. – Scanning moves the user to a less-protected device (mobile). – QR lures feel “office-friendly” (think invoices, MFA prompts, or delivery notices).

For more on QR code scam trends, see the FBI’s public service announcement: FBI IC3: QR Code Scams.

Vendor research on evolving quishing tactics is also informative: Barracuda Threat Spotlight.

Precision-Validated Phishing and 2FA Theft

Researchers also surfaced a phishing kit (linked to the PoisonSeed actor) that: – Validates an email address in real time in the background (so the victim sees a fake “checking” step, like a Cloudflare Turnstile challenge). – Then presents a login page mimicking large SaaS providers (Google, SendGrid, Mailchimp, and others). – Captures credentials and 2FA codes—and relays them upstream to hijack accounts and send crypto scam emails.

Key insight: SMS and one-time codes are phishable. Phishing-resistant methods like FIDO2 security keys or device-bound passkeys drastically reduce risk because they cryptographically bind authentication to the legitimate site.

Useful primers: – NVISO Labs blog on phishing kits and tactics: NVISO Labs. – FIDO Alliance on passkeys and phishing resistance: FIDO Passkeys.

What Security Teams Can Do Now: A Prioritized Checklist

You don’t need a complete overhaul to blunt these attacks. Start with the highest-impact controls:

  1. Harden email entry points – Block or sandbox archives from external senders by default; apply Content Disarm and Reconstruction (CDR) where possible. – Quarantine or flag password-protected archives and require a justification for release. – Enforce SPF/DKIM/DMARC on inbound and outbound messages: DMARC.org.
  2. Reduce side-loading opportunities – Enforce Safe DLL Search Mode and prefer fully qualified paths for internal apps. – Deny execution from user-writable paths (Downloads/AppData/Temp) using WDAC or AppLocker: WDAC guidance. – Block or alert when InstallUtil.exe, AddInProcess32.exe, or legacy aspnet_wp.exe make network connections or spawn unusual children.
  3. Lean on behavior-based detection – Turn on Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint where licensing allows: ASR rules. – Deploy Sysmon with community-proven configs to log process creation, image loads, and network connections: Sysmon. – Create detections for suspended process creation with immediate memory mapping, suspicious memory permissions, and cross-process writes.
  4. Lock down identity – Move high-risk groups to phishing-resistant MFA (FIDO2 keys or passkeys) first. – Enforce conditional access policies, number-matching for push notifications, and impossible-travel checks. – Monitor for token theft signals and unusual OAuth consent grants.
  5. Tame QR risks – Train users to preview URLs before opening. Encourage scanning QR codes with a managed app that shows the full URL clearly. – Consider stripping or rewriting QR images in emails from external senders. – Block direct access to unmanaged mobile app stores from corporate devices; enforce MDM profiles.
  6. Restrict egress and resolve safely – Apply DNS filtering to block known-bad domains and newly registered domains (NRDs): Quad9. – Limit outbound traffic to required destinations; proxy and log everything for investigation.
  7. Prepare the “oops” playbook – If a user runs a suspicious attachment, isolate the host, capture volatile artifacts, and triage memory for injection indicators. – Reset credentials from a known-clean device and rotate tokens. – Have a pre-approved communications plan and IR retainer for rapid engagement.

Quick Wins for Small Teams and Individuals

If you don’t have a big security stack, here are practical steps you can take in under an hour:

  • Turn on automatic OS and browser updates everywhere.
  • Enable SmartScreen and Reputation-based protection in Windows.
  • Use a reputable security suite with behavioral detection.
  • Disable automatic extraction of archives; open them only when necessary.
  • Use a password manager and enable passkeys where available.
  • Back up important files to a cloud provider plus an external drive (and test the restore).
  • Don’t scan QR codes from emails unless you can preview the URL first.

Small changes compound. Think of this like adding speed bumps to the attacker’s path.

Red Flags to Catch in the Inbox

Train your team (and yourself) to pause when you see:

  • Archives (ZIP/RAR/7z) instead of a simple document—especially from unknown senders.
  • Double extensions (e.g., Invoice.pdf.exe) or DLLs included with “receipts.”
  • “Reply-to” domains that don’t match the sender.
  • “Please scan this QR code to verify your account/MFA.”
  • Requests that push you to a mobile device to complete an action.
  • Attachments that prompt you to enable macros or “install a viewer.”

A healthy dose of skepticism is your first line of defense. When in doubt, validate through another channel.

If You Think You’re Infected

Act fast, but don’t panic:

  1. Disconnect the device from the network (wired and Wi-Fi).
  2. If you have an IT or security team, contact them immediately.
  3. From a clean device, change passwords for email and critical accounts.
  4. Run a full scan with your security tool; consider a second opinion scanner.
  5. Monitor for odd logins, mail forwarding rules, or unauthorized changes.
  6. If sensitive data may be exposed, follow your incident response and legal procedures.

The sooner you contain it, the less cleanup later.

The Bigger Picture: Loaders, Lures, and Living Off the Land

QuirkyLoader highlights a broader shift:

  • Modular delivery: Attackers use loaders so they can swap payloads based on target value or defenses.
  • Abuse of trust: Side-loading and living-off-the-land binaries thrive because they borrow legitimacy.
  • Phishing sophistication: From QR codes to 2FA theft kits, social engineering is evolving faster than static filters.
  • Low-and-slow campaigns: Smaller runs, regional targets, higher success.

The defense answer isn’t any one tool—it’s layered hygiene plus behavior-based detection. Small barriers and better defaults, everywhere.

Helpful References

FAQs: QuirkyLoader, Side-Loading, and Phishing Trends

  • What is QuirkyLoader?
    QuirkyLoader is a malware loader used in email campaigns to deliver various payloads like Agent Tesla, AsyncRAT, Remcos, and Snake Keylogger. It relies on DLL side-loading and process hollowing to evade detection.
  • How does DLL side-loading work in malware attacks?
    Attackers place a malicious DLL where a legitimate app will load it, often in the same folder. When the app runs, it unwittingly loads the attacker’s DLL. See MITRE T1574.002.
  • What is process hollowing?
    It’s a technique where malware starts a legitimate process, swaps out its memory for malicious code, and resumes it to look normal. See MITRE T1055.012.
  • Which processes does QuirkyLoader target for injection?
    AddInProcess32.exe, InstallUtil.exe, and aspnet_wp.exe have been observed as injection targets.
  • Is Snake Keylogger dangerous?
    Yes. It captures keystrokes, clipboard content, and browser credentials. It’s often used to steal sensitive data and access accounts.
  • How do I protect against payloads like Agent Tesla and AsyncRAT?
    Block risky attachments, use behavior-based endpoint protection, restrict execution from user-writable paths, and monitor for memory injection patterns. Identity hardening and DNS filtering help too.
  • Why are QR code phishing (“quishing”) attacks rising?
    QR codes evade link scanners, can be hard for users to evaluate, and often push victims to mobile devices outside enterprise protection. See the FBI’s advisory.
  • Can attackers bypass 2FA?
    Yes—if you use phishable methods like SMS or TOTP codes. Phishing-resistant MFA (FIDO2 security keys or passkeys) dramatically reduces risk: FIDO Passkeys.
  • What email security settings should we prioritize?
    Enable SPF, DKIM, and DMARC; sandbox archives; quarantine password-protected attachments; and apply URL rewriting/inspection with strict click-time protection.
  • I opened a suspicious archive—what now?
    Disconnect from the network, notify IT/security, scan the device, and change passwords from a clean machine. Monitor for suspicious logins or mail rules.
  • How can small businesses lower risk quickly?
    Turn on automatic updates, enable SmartScreen, use a reputable endpoint security product, deny execution from user-writable folders, enforce MFA, and train staff on QR code and attachment red flags.
  • Where can I learn more about attacker techniques?
    Start with MITRE ATT&CK for technique mapping and CISA’s guidance for practical mitigations.

The Bottom Line

QuirkyLoader isn’t just another malware “brand.” It’s a sign of where email-borne threats are going: more modular, more adaptive, and more reliant on trusted system behaviors. Combined with evolving phishing tactics—from QR code lures to precision-validated login pages—the risks are shifting from obvious to insidious.

Here’s the actionable takeaway: double down on behavior-based detection, limit side-loading opportunities with application control, move high-risk users to phishing-resistant MFA, and make it harder for archives and QR codes to become someone’s worst day. Small, layered defenses beat single silver bullets—every time.

If you found this useful, consider subscribing for more practical breakdowns as attacker tactics evolve. Stay sharp, and stay safe.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!