A sophisticated malware strain called ModiLoader (also known as DBatLoader) has emerged as a significant threat to Windows users, specifically targeting individuals through carefully crafted phishing campaigns.
The malware, discovered in recent attacks, employs a multi-stage infection process that ultimately deploys SnakeKeylogger, a notorious information-stealing malware developed in .NET.
Initial infection occurs when unsuspecting users open malicious email attachments, believing they are viewing legitimate financial transaction records from banking institutions.
The attack begins with phishing emails written in Turkish, impersonating legitimate Turkish banks and prompting recipients to open RAR attachments to check their supposed transaction history.
When opened, these attachments execute BAT files that create and deploy the DBatLoader malware (x[.]exe) in the system’s temporary directory using Base64 encoding techniques.
This elaborate encoding mechanism helps the malware bypass standard security detection systems by obfuscating its true nature until execution time.
ASEC analysts identified this malware campaign in mid-May 2025, noting that the DBatLoader malware employs a sophisticated series of obfuscated BAT scripts (5696[.]cmd, 8641[.]cmd, and neo[.]cmd) to establish persistence and evade detection.
The researchers observed that these scripts perform various functions to manipulate the system environment, creating an intricate web of legitimate and malicious processes working in tandem.
Once successfully deployed, ModiLoader executes its final payload-SnakeKeylogger-which begins harvesting sensitive information from infected systems.
This information includes system details, keyboard inputs, clipboard data, and potentially stored credentials.
The malware is particularly concerning due to its comprehensive data exfiltration methods, supporting data transmission via email, FTP, SMTP, and Telegram channels.
The analyzed sample specifically used a Telegram bot token (8135369946:AAEGf2HOErFZIOLbSXn5AVeBr_xgB-x1Qmk) to transmit stolen data to a command-and-control server, making detection and interception particularly challenging.
For affected users, the impact can be severe, with personal and financial credentials potentially compromised.
The malware’s ability to monitor keyboard inputs means that even data entered after infection (including newly created passwords) can be captured and exfiltrated to attackers, creating persistent security vulnerabilities even after initial detection.
ModiLoader employs remarkably advanced detection evasion techniques, leveraging legitimate Windows processes to mask its malicious activities.
The malware uses the Windows Esentutl command to copy cmd[.]exe as alpha.pif, then creates folders with spaces in their names (such as “C:\Windows \SysWOW64”) to disguise them as legitimate system paths.
This technique helps the malware avoid detection by security software that may not properly parse paths with unusual spacing.
The malware further obscures its presence through DLL side-loading, creating a program named svchost.pif that masquerades as the legitimate easinvoker[.]exe process.
Alongside this, it deploys a malicious netutils.dll in the same directory, causing the legitimate process to exhibit malicious behavior when it loads the compromised DLL.
The manipulated netutils.dll executes encoded commands that run additional scripts, creating a chain of execution that’s difficult for security solutions to track.
Perhaps most concerning is the malware’s ability to actively disable security protections. Through the neo[.]cmd script ModiLoader uses the extracted powershell[.]exe (renamed as xkn.pif) to add system subdirectories to Windows Defender’s exclusion paths, effectively bypassing antivirus scanning.
This sophisticated combination of legitimate Windows tools and processes makes ModiLoader particularly challenging to detect through conventional security measures, highlighting the need for advanced behavior-based detection systems to identify such threats.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
The npm ecosystem faces a sophisticated new threat as ten malicious packages have emerged, each…
A public exploit code demonstrating how attackers could exploit CVE-2025-40778, a critical vulnerability in BIND…
Microsoft Exchange servers in Germany are still running without security updates, just weeks after the…
The threat landscape continues to evolve as Gunra ransomware emerged in April 2025, establishing itself…
In response to escalating threats of credential theft, Google, through its Mandiant cybersecurity division, has…
A new remote access trojan called Atroposia has emerged as one of the most concerning…