- Researchers have identified a new Malware loader called QuirkyLoader being used in global email attacks since November 2024.
- QuirkyLoader distributes different types of malware, including Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger.
- The loader uses DLL side-loading and process hollowing techniques to inject malicious code into popular Windows processes.
- Recent phishing trends include splitting or nesting QR codes in email attacks to evade detection and using phishing kits to capture credentials and two-factor codes.
- Attackers are targeting both individuals and companies, specifically with focused campaigns in Taiwan and Mexico.
Cybersecurity experts have discovered a new malware loader called QuirkyLoader being used in email-based attacks across different countries since November 2024. These attacks spread malware to steal data or gain remote access on victims’ devices. Groups have used this tool to target employees of companies in Taiwan and randomly in Mexico.
According to IBM X-Force, QuirkyLoader delivers several types of harmful software, such as Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. The attackers send emails through legitimate and self-hosted servers, using a malicious attachment that includes a DLL file, an encrypted payload, and a legitimate executable.
Security researcher Raymond Joseph Alfonso explained, “The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL. This DLL, in turn, loads, decrypts, and injects the final payload into its target process.” The QuirkyLoader uses process hollowing, meaning it injects malware into running processes such as AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. IBM states that these techniques help the malware avoid detection by security tools.
IBM notes that most QuirkyLoader attacks are limited but have been active, with two campaigns in July 2025. One attack group focused on employees at Nusoft Taiwan, in New Taipei City, aiming to deliver Snake Keylogger—stealing sensitive info from browsers, keystrokes, and clipboard. The Mexico campaign was broader in targeting, delivering Remcos RAT and AsyncRAT.
Researchers also report new trends in phishing, including the use of split or nested QR codes in emails. These trends, highlighted by Barracuda researcher Rohit Suresh Kanase, help attackers bypass filters because QR codes are not easily checked by traditional defences and usually require users to scan them with mobile devices. As Kanase noted, “Malicious QR codes…can often bypass traditional security measures such as email filters and link scanners.”
Another development includes the PoisonSeed phishing kit, which collects both passwords and two-factor codes by sending victims to fake login pages that mimic platforms like Google, SendGrid, and Mailchimp. According to NVISO Labs, attackers use spear-phishing emails with malicious links to lure targets and validate their details in real time, showing convincing fake security challenges.
These findings highlight the ongoing changes in how attackers try to avoid detection and access sensitive information across the globe.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- MetaMask Set to Launch mUSD Stablecoin, Eyes New Revenue Streams
- Input | Output (IO) Joins Blockchain for Europe to Advance Cross-Sector Collaboration in DeFi Policy Development
- Ming Shing to Acquire 4,250 Bitcoin, Eyes Top HK Crypto Treasury
- Scattered Spider Hacker Sentenced to 10 Years for Crypto Thefts
- BRICS Currency Designs Unveiled as 2026 Launch Gains Momentum
