QuirkyLoader Delivers Infostealers and RATs to Multiple Global Entities

Posted on August 22, 2025
Bradford Regeski, Cyber Threat Intelligence Analyst

Executive Summary

Since November 2024, IBM X-Force has been tracking QuirkyLoader, a new malware loader actively used to deliver a variety of well-known payloads, including keyloggers and Remote Access Trojans (RATs). This multi-stage infection begins with a malicious email attachment that exploits dynamic-link library (DLL) side-loading to execute a hidden malicious DLL. The loader, consistently written in C# .NET with ahead-of-time (AOT) compilation, uses sophisticated methods such as process hollowing and a rare encryption cipher to evade detection before injecting the final payload. Recent campaigns have been observed targeting organizations in Taiwan, demonstrating its global reach.

Community Impact

The retail and hospitality sectors are at a heightened risk from QuirkyLoader due to its primary delivery method: malicious email attachments containing keyloggers and RATs. A successful infection could lead to the theft of employee and customer credentials, financial data, and sensitive internal information. As such, RH-ISAC Core Members are recommended to review the intelligence included in this report, the original intelligence report, and review and ingest the Indicators of Compromise, included below.

Analysis

QuirkyLoader utilizes a sophisticated and deceptive infection chain that begins with a malicious archive attached to a spam email. The archive contains a legitimate executable and a malicious DLL. When the user launches the legitimate file, it triggers a DLL side-loading attack, which in turn executes the hidden, malicious DLL. This DLL is notable for being consistently written in C# .NET and compiled using ahead-of-time (AOT) compilation, a technique that makes the resulting binary appear as though it were written in C or C++, effectively disguising its true nature to security software. The loader then decrypts a final payload using methods like the uncommon Speck-128 cipher with CTR mode. To further evade detection, it performs process hollowing, dynamically resolving Win32 APIs to inject the final payload into a legitimate, suspended process, such as AddInProcess32.exe or aspnet_wp.exe, before resuming its execution. Some of the well-known malware families that use QuirkyLoader include:

Indicators of Compromise

IBM X-Force has provided the following Indicators of Compromise associated with QuirkyLoader:

Indicator	Indicator Type	Context
011257eb766f2539828bdd45 f8aa4ce3c4048ac2699d9883 29783290a7b4a0d3	File	QuirkyLoader DLL Module
0ea3a55141405ee0e2dfbf33 3de01fe93c12cf34555550e4f 7bb3fdec2a7673b	File	QuirkyLoader DLL Module
a64a99b8451038f2bbcd32 2fd729edf5e6ae0eb70a244 e342b2f8eff12219d03	File	QuirkyLoader DLL Module
9726e5c7f9800b36b671b06 4e89784fb10465210198fbbb 75816224e85bd1306	File	QuirkyLoader DLL Module
a1994ba84e255eb02a6140c ab9fc4dd9a6371a84b1dd631 bd649525ac247c111	File	QuirkyLoader DLL Module
d954b235bde6ad02451cab 6ee1138790eea569cf8fd0b 95de9dc505957c533cd	File	Sample email of QuirkyLoader
5d5b3e3b78aa25664fb2bfdb f061fc1190310f5046d969adab 3e7565978b96ff	File	Sample email of QuirkyLoader
6f53c1780b92f3d5affcf095ae 0ad803974de6687a4938a2e 1c9133bf1081eb6	File	Sample email of QuirkyLoader
ea65cf2d5634a81f37d3241a7 7f9cd319e45c1b13ffbaf5f8a63 7b34141292eb	File	Sample email of QuirkyLoader
1b8c6d3268a5706fb41ddfff99 c8579ef029333057b911bb490 5e24aacc05460	File	Sample email of QuirkyLoader
d0a3a1ee914bcbfcf709d36741 7f8c85bd0a22d8ede0829a66 e5be34e5e53bb9	File	Sample email of QuirkyLoader
b22d878395ac2f2d927b78b16 c9f5e9b98e006d6357c98dbe 04b3fd78633ddde	File	Sample email of QuirkyLoader
a83aa955608e9463f272adca 205c9e1a7cbe9d1ced1e10c9d 517b4d1177366f6	File	Sample email of QuirkyLoader
3391b0f865f4c13dcd9f08c6d3e 3be844e89fa3afbcd95b5d1a1c 5abcacf41f4	File	Sample email of QuirkyLoader
b2fdf10bd28c781ca354475be6 db40b8834f33d395f7b5850be 43ccace722c13	File	Sample email of QuirkyLoader
bf3093f7453e4d0290511ea6a0 36cd3a66f456cd4a85b7ec8fbf ea6b9c548504	File	Email attachment containing QuirkyLoader
97aee6ca1bc79064d21e1eb7b8 6e497adb7ece6376f355e47b2 ac60f366e843d	File	Email attachment containing QuirkyLoader
b42bc8b2aeec39f25babdcbbd aab806c339e4397debfde2ff1b 69dca5081eb44	File	Email attachment containing QuirkyLoader
5aaf02e4348dc6e962ec54d5d 31095f055bd7fb1e5831768200 3552fd6fe25dc	File	Email attachment containing QuirkyLoader
8e0770383c03ce6921079879 9d543b10de088bac147dce47 03f13f79620b68b1	File	Email attachment containing QuirkyLoader
049ef50ec0fac1b99857a6d2b eb8134be67ae67ae134f9a3c5 3699cdaa7c89ac	File	Email attachment containing QuirkyLoader
cba8bb455d577314959602eb 15edcaa34d0b164e2ef9d89b0 8733ed64381c6e0	File	Email attachment containing QuirkyLoader
catherinereynolds[.]info	Domain	Domain used for malspam campaign
mail[.]catherinereynolds[.]info	Domain	Domain used for malspam campaign
157[.]66[.]22[.]11	IPv4	IP address that catherinereynolds[.]info resolves to
103[.]75[.]77[.]90	IPv4	IP address related to QuirkyLoader
161[.]248[.]178[.]212	IPv4	IP address related to QuirkyLoader

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

QuirkyLoader Delivers Infostealers and RATs to Multiple Global Entities

Executive Summary

Community Impact

Analysis

Indicators of Compromise

Subscribe to the Blog

More Recent Blog Posts

Microsoft OAuth App Impersonation Leads to MFA Phishing

Microsoft Warns of Active Exploitation of SharePoint via ToolShell Zero-Day

Recent Compromises of Network-Separated Environments in South Korea Highlight Potential Security Gaps