MalwareRansomwareUsed by 1 actor

PrivateLoader

PrivateLoader is a malicious loader family first identified in 2021 and commonly associated with pay-per-install distribution activity. It is used to download and execute a wide range of follow-on malware, including stealers, RATs, spyware, rootkits, proxy bot malware, cryptominers, and ransomware. Reported payloads and associated malware families include RedLine, DCRat, RaccoonStealer, Lumma/LummaC2, RisePro, Amadey, StealC, Glupteba, Tofsee-related activity, Socks5Systemz, and STOP/DJVU ransomware. PrivateLoader has also been referenced in campaigns targeting the robotics industry.

Observed infection vectors include cracked or pirated software lures, fake installers, drive-by downloads, phishing or social distribution, file-sharing sites, and abuse of trusted hosting platforms such as Discord’s CDN for next-stage payload retrieval. In one documented multi-stage cracked-software campaign, a trojanized setup.exe masquerading as a Logitech installer launched PrivateLoader, which then communicated over HTTP with 185.216.70.235 and 195.20.16.45 using requests to /api/tracemap.php and /api/firegate.php, modified Chrome extension files resulting in the K Searches extension being added, and dropped Amadey payloads to C:\Users\admin\Pictures\Minor Policy\5RfuRxo3fpxiWkD42DRCixRe.exe and C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\J0KBFYBW\build2[1].exe.

PrivateLoader has been linked to broader cybercrime ecosystems rather than a single exclusive payload set. It has been described as powering or participating in pay-per-install services and has been used in campaigns tied to Water Orthrus/CopperPhish distribution, Glupteba delivery chains, Lumma infections, Socks5Systemz standalone deployment, and malware delivery via Discord CDN. High-confidence indicators directly mentioned in the content include the HTTP paths /api/tracemap.php and /api/firegate.php, the IPs 185.216.70.235 and 195.20.16.45, and a CopperPhish-chain PrivateLoader sample with SHA-256 48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

SilverFox

The campaign uses multiple malware families under a single operational umbrella: SHA256 (truncated) Filename Signature First Seen 95e30af4... PoisonX.exe PrivateLoader 2026-03-10

via breakglass intelintel.breakglass.tech

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1189Drive-by CompromiseEvidence1

“The infostealer was delivered via drive-by downloads disguised as fake installers such as Chrome and Edge browser installers.”

T1566PhishingEvidence2

“Similar to other recent campaigns, threat actors often spread Glupteba through web-based distribution and large-scale phishing attacks using bundled software installation files and cracks…”

Execution

2 techniques

T1204User ExecutionEvidence2

Double-clicking on “setup.exe” will execute the application.

T1204.002Malicious FileEvidence1

In an attempt to regain their once previous numbers the ProxyBox operators are observed utilizing pay per install (PPI) sites which distribute the malware through cracked software sites... These sites utilize NSIS installers which will dynamically install a series of applications.

Persistence

1 technique

T1176Software ExtensionsEvidence1

The “vRNddZqIkwaYVpHLFkGcr1Tk.exe” (process 5088) was seen modifying files in the Chrome extension folder. Browser extensions can be abused to establish persistent access to systems (T1176 – Browser Extensions).

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

Process 4440 is also seen communicating with its C2 server, 185[.]216.70.235 and 195.20.16[.]45 via port 80 (T1071 – Application Layer Protocol).

T1105Ingress Tool TransferEvidence4

In September 2023, BitSight observed a shift in deployment tactics, with Socks5Systemz distributed as a standalone final payload via loaders such as Privateloader and Amadey.

INDICATORS OF COMPROMISE

IOCs tracked for this family

29 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

18 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

10 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app2 years ago

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

bitsightNews

Jun 24, 2026

Bitsight Aids Disruption Efforts on Amadey & StealC Malware | Bitsight

Named as a loader previously tracked in the same commodity malware delivery ecosystem.

synthient blogNews

Mar 30, 2026

ProxyBox: Socks5Systemz Lives On | Synthient

A loader used to distribute Socks5Systemz as a standalone final payload.

breakglass intelNews

Mar 12, 2026

MalwareBazaar Said Emotet. It Was a Chinese RAT Hiding Inside a Video Game. - Breakglass Intelligence - Breakglass Intelligence

Listed as one of multiple malware families used in the broader SilverFox campaign.

dark readingNews

Dec 9, 2025

Analysts Warn of Cybersecurity Risks in Humanoid Robots

Malware loader used to deliver additional malicious payloads in targeted attacks against the robotics industry.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching29

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.