Since November 2024, a new threat named QuirkyLoader has been actively tracked—a malware loader that's been gaining ground through email spam campaigns. Its main purpose? To deliver a wide range of malicious payloads during the second stage of an attack, including information stealers and dangerous Remote Access Trojans (RATs).
Among the most common malware families distributed via QuirkyLoader are some well-known names in the cybercrime world: Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. In short, this loader is becoming a Swiss army knife for cybercriminals looking to stealthily and efficiently compromise systems.
This new wave of attacks leverages both emails sent from legitimate service providers and messages from self-hosted mail servers. These emails carry a malicious attachment containing three key components: a tampered DLL, an encrypted payload, and a seemingly harmless executable.
What makes this technique particularly concerning is the use of DLL sideloading. Essentially, the attacker runs a legitimate program that, upon execution, also loads a malicious DLL—all without raising suspicion. This DLL is then responsible for decrypting and injecting the real malware into a targeted system process.
To do this, QuirkyLoader employs a technique called process hollowing, which allows the threat to hide inside legitimate processes such as AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. This makes it significantly harder for traditional antivirus solutions to detect the malicious activity.
This DLL-based loader has been active in low-profile campaigns over the past few months. In July 2025, at least two targeted campaigns were observed—one in Mexico and another in Taiwan.
In the case of Taiwan, attackers specifically targeted employees of Nusoft Taiwan, a company focused on cybersecurity and network research. The goal was clear: to infect their systems with Snake Keylogger, a malware strain designed to steal sensitive browser data, log keystrokes, and capture clipboard content.
In the case of the campaign targeting Mexico, evidence suggests it was a more random and widespread attack, lacking a specific target. The infection chains observed in this region were primarily used to distribute Remcos RAT and AsyncRAT—two well-known tools for remote system control.
An interesting detail is that the attackers constantly rewrite the loader module in .NET, but with a clever twist: they use Ahead-Of-Time (AOT) compilation. What does this mean? Essentially, the code is compiled into native machine code before execution, making the final file appear as if it were developed in low-level languages like C or C++. This significantly complicates detection and analysis by traditional security tools.
Read more: New Malware Plague Targets Linux Devices
Cybercriminals continue to evolve their tactics, and one phishing method gaining significant momentum is quishing—QR code phishing. This trend has recently picked up steam, with attackers employing increasingly sophisticated techniques. For example, some malicious actors now split QR codes into two parts to evade detection, or embed them inside legitimate-looking QR codes delivered via email using well-known phishing kits like Gabagool and Tycoon.
This type of attack is particularly effective because QR codes are not human-readable. At first glance, they appear harmless, but when scanned, they can redirect users to malicious websites. What makes it worse is that QR codes often bypass traditional email security filters, such as link scanners and spam filters.
Adding to the risk, many users scan these codes with their mobile devices, which often fall outside the corporate network's protection. In other words, attackers are effectively bypassing enterprise email security systems and targeting users directly on their personal devices.
But that’s not the end of it. Security researchers have also identified a new phishing kit being used by a threat group known as PoisonSeed, with a more ambitious goal: to steal login credentials and two-factor authentication (2FA) codes from both individuals and organizations. Their ultimate objective? Take over accounts and use them to launch further scams, particularly in the cryptocurrency space.
This kit is hosted on spoofed domains that closely mimic the login pages of well-known platforms like Google, SendGrid, and Mailchimp. Attackers send highly convincing spear-phishing emails, containing malicious links that redirect victims to these fake login portals. Once the victim enters their credentials and 2FA code, it’s too late—the attackers gain full access and can impersonate the user to expand their campaign.
One of the most striking features of this phishing kit is its use of real-time email validation before displaying the fake login form. This technique, known as precision-validated phishing, allows attackers to silently verify whether an email address is valid, all while showing the user a fake Cloudflare Turnstile challenge—making it appear as if they're undergoing a legitimate security check.
If the email passes this silent validation, the phishing kit then presents a highly convincing fake login form that closely mimics the legitimate platform. The unsuspecting user, believing they’re on a trusted site, enters their credentials—unknowingly handing them over to the attacker. Once the data is submitted, it is instantly transmitted to the malicious backend, completing the credential theft.
This strategy highlights just how sophisticated and convincing modern phishing attacks have become—even for tech-savvy users. By combining stealth, accuracy, and visual authenticity, attackers can significantly increase their success rate, making it critical for both individuals and organizations to remain vigilant and adopt advanced email and web filtering solutions.
The good news is that, even though attackers are using increasingly sophisticated techniques, there are still practical and effective ways to reduce your risk. It's not just about installing an antivirus—it's about combining technology, best practices, and digital education.
If you receive an email with attachments, links, or QR codes you weren't expecting, approach it with caution. Even if it appears to come from a legitimate sender, double-check the email address and look for red flags like typos, urgency, or unusual content.
Before scanning a QR code, ask yourself: does this make sense? If it’s in an unexpected email, document, or message, don’t scan it. On mobile devices, use QR scanner apps that let you preview the link before opening it.
Many attacks exploit known vulnerabilities in outdated operating systems, browsers, or apps. Enable automatic updates whenever possible to stay protected against the latest threats.
Basic antivirus software isn’t enough anymore. Choose EDR solutions (Endpoint Detection and Response) or platforms that analyze behavior, not just known malware signatures.
This is where tools like TecnetProtect make a difference. It combines real-time protection against malware and ransomware with automated backup and rapid recovery features. This double layer ensures that even if an attack gets through, you can still restore your critical data and keep operations running smoothly.
Even if an attacker gets your credentials, MFA adds an extra layer of defense. That said, keep in mind that some phishing kits can steal 2FA codes too. Whenever possible, use more secure options, like hardware authenticators (FIDO2 security keys).
In businesses, network segmentation limits the spread of malware between systems. Also, maintaining secure, offline backups is crucial for recovering after an attack.
With TecnetProtect, backups can be automated and encrypted, stored both in the cloud and on local servers—greatly reducing the risk of data loss, even in the face of sophisticated ransomware.
The weakest link is still human error. Regular cybersecurity training helps employees—and home users—recognize phishing attempts, malicious links, and suspicious files.
Prevention is the best defense. By combining smart digital habits with comprehensive solutions like TecnetProtect, you'll benefit from:
Real-time threat protection
Rapid data recovery
Secure, automated backups
Whether you're facing threats like QuirkyLoader or QR-based phishing scams, being proactive is the key to staying safe.