QuirkyLoader distributes Agent Tesla, AsyncRAT, Snake Keylogger and other malware

Cybersecurity researchers have revealed a new malware loader named QuirkyLoader, which has been actively delivering various next-stage payloads, including information stealers and remote access trojans, through email spam campaigns since November 2024. Notable malware families distributed via QuirkyLoader include Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. IBM X-Force reported that these attacks utilise spam emails sent from both legitimate email service providers and self-hosted servers. The emails contain a malicious archive that includes a DLL, an encrypted payload, and a legitimate executable. Security researcher Raymond Joseph Alfonso explained that the threat actor employs DLL side-loading, where launching the legitimate executable also loads the malicious DLL, which subsequently decrypts and injects the final payload into its target process using process hollowing techniques.

The QuirkyLoader has been observed in limited campaigns, with two notable instances in July 2025 targeting Taiwan and Mexico. The campaign aimed at Taiwan specifically targeted employees of Nusoft Taiwan, a network and internet security research company, with the intent of infecting them with Snake Keylogger, capable of stealing sensitive information from web browsers, keystrokes, and clipboard content. Conversely, the campaign in Mexico appears to be random, delivering Remcos RAT and AsyncRAT. The threat actor consistently develops the DLL loader module in .NET languages, employing ahead-of-time (AOT) compilation to make the resulting binary resemble C or C++ code. Additionally, the emergence of new phishing tactics, such as QR code phishing (quishing), has been noted, with attackers splitting malicious QR codes or embedding them within legitimate ones to evade detection. Barracuda researcher Rohit Suresh Kanase highlighted that malicious QR codes are advantageous for attackers as they are unreadable by humans and can bypass traditional security measures, further complicating the security landscape.