Cyber Security News

Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads

An unrecorded .NET Loader was identified during routine threat hunting that downloads, decrypts, and executes a wide range of malicious payloads. 

Multiple threat actors extensively distributed this new loader in early June 2023 through the following mediums:-

  • Malicious phishing emails
  • Deceptive YouTube videos
  • Fake web pages mimicking legitimate websites
Ditribution mediums (Source – Sekoia)

The cybersecurity researchers at Sekoia identified this new .NET loader and named this newly discovered loader malware “CustomerLoader.”

Security analysts appointed this name due to its Command and Control (C2) communications containing the term “customer” and its loading functionalities.

.NET Loader to Deliver Payloads

CustomerLoader exclusively retrieves dotRunpeX samples, which in turn deliver a diverse range of malware families like:-

  • Infostealers
  • Remote Access Trojans (RAT)
  • Commodity ransomware

In March 2023, the security experts at Checkpoint publicly documented dotRunpeX as a .NET injector that is equipped with multiple anti-analysis techniques.

The association between CustomerLoader and an undisclosed Loader-as-a-Service is highly probable.

The dotRunpeX developer may have added CustomerLoader as a stage before the injector is executed.

Infection chain (Source – Sekoia)

CustomerLoader samples employ multiple code obfuscation techniques, disguising themselves as legitimate apps. This slows down and extends the analysis, likely due to easy-to-use .NET code obfuscation tools. 

However, there are numerous such tools that are accessible via NotPrab/.NET-Obfuscator GitHub repository, even for non-experts as well.

CustomerLoader uses AES in ECB mode for string obfuscation, with the decryption key stored in plaintext within the PE.

CustomerLoader evades detection by patching the AmsiScanBuffer function in amsi.dll, returning AMSI_RESULT_CLEAN to bypass antivirus. This marks the buffer as clean and permits the safe execution of malicious payloads.

Function that patches AmsiScanBuffer (Source – Sekoia)

The loader executes the customer payload following this process:-

  • From an embedded URL, an HTML page is downloaded by the CustomerLoader.
  • An encoded base64 string is extracted using regex: “/!!!(.*?)!!!/”
  • Then the base64 string is decoded and decrypted by it.
  • Then the payload is executed in memory using the reflective code technique.

The method of code reflection is obfuscated by shuffling, enabling the loading of .NET functions using the following function:-

  • NewLateBinding.LateGet

The encrypted payloads are retrieved by the CustomerLoader samples from their C2 server, with each payload linked to a unique customer ID that is hosted at:- 

  • hxxp://$C2/customer/$ID

The CustomerLoader samples were directly connected to C2 server IP 5.42.94[.]169 via HTTP between  31 May and 20 June 2023. While the C2 server switched to the domain kyliansuperm92139124[.]sbs and HTTPS, protected by Cloudflare on 20 June 2023.

The domain acts as a proxy, while the backend server remains 5.42.94[.]169. This C2 server changes likely aims to evade network detections and hinder security researchers’ analysis, according to analysts.

Malware Families Distributed

Here below we have mentioned all the malware families that are distributed by CustomerLoader:-

  • Redline
  • Formbook
  • Vidar
  • Stealc
  • Raccoon
  • Lumma
  • StormKitty
  • AgentTesla
  • DarkCloud
  • Kraken Keylogger
  • AsyncRAT
  • Quasar
  • Remcos
  • XWorm
  • njRAT
  • WarzoneRAT
  • BitRAT
  • NanoCore
  • SectopRAT
  • LgoogLoader
  • Amadey
  • Variant of WannaCry
  • TZW ransomware

CustomerLoader distributes the following malware families, each associated with a distinct number of unique botnets:-

  • Redline: over 80 botnets
  • Quasar: 45 botnets
  • Vidar: 9 botnets
  • Remcos: 6 botnets
  • Stealc: 4 botnets
  • Formbook: 4 botnets

CustomerLoader, when combined with the dotRunpeX injector, enhances compromise rates by reducing the detection of the final payload, despite lacking advanced techniques.


  • hxxp://[.]my/48E003A01/48E003A01.7z: Payload delivery URL
  • d40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9: Archive
  • 3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82: CustomerLoader payload
  • hxxp://5.42.94[.]169/customer/735: CustomerLoader’s C2 URL
  • hxxps://telegra[.]ph/Full-Version-06-03-2: Malicious redirection webpage
  • hxxps://tinyurl[.]com/bdz2uchr: Shortened URL redirecting to the payload delivery URL
  • hxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file: Payload delivery URLs
  • hxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file: Payload delivery URLs
  • 65e3b326ace2ec3121f17da6f94291fdaf13fa3900dc8d997fbbf05365dd518f: Archive
  • 7ff5a77d6f6b5f1801277d941047757fa6fec7070d7d4a8813173476e9965ffc: Archive
  • c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6: CustomerLoader payload
  • hxxp://5.42.94[.]169/customer/770: CustomerLoader’s C2 URL
  • 45.9.74[.]99: Raccoon stealer’s C2
  • 5.42.65[.]69: Raccoon stealer’s C2
  • hxxps://slackmessenger[.]site/: Malicious webpage impersonating Slack website
  • hxxps://slackmessenger[.]pw/ Payload delivery
  • 695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6: Archive
  • b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca: CustomerLoader payload
  • hxxp://5.42.94[.]169/customer/798: CustomerLoader’s C2 URL
  • missunno[.]com:80: Redline stealer’s C2
Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago