DonutLoader
DonutLoader is an open-source shellcode generation and in-memory execution framework used to wrap .NET assemblies, DLLs, EXEs, and other payloads into position-independent shellcode for memory-only execution. Across the provided reporting, it is consistently described as a loader/packer rather than the final payload, and is used to decrypt, unpack, inject, or launch next-stage malware entirely in memory to reduce disk artifacts and evade traditional signature- and disk-based detection.
Observed behaviors in the content include generating shellcode for in-memory execution, unpacking embedded payloads, injecting shellcode into processes such as explorer.exe, Chrome, and Microsoft Edge, and launching payloads via new threads. DonutLoader is also described as using a specialized position-independent execution stub, and one report notes shellcode generated with DonutLoader using Chaskey-LTS in CTR mode to decrypt embedded configuration and execution context.
Infection chains in the content show DonutLoader being delivered or invoked through multiple vectors and tradecraft patterns, including malicious VBScript campaigns, phishing-delivered JavaScript and batch droppers, PowerShell stages, DLL sideloading with legitimate signed binaries, abuse of LOLBins such as Scriptrunner.exe, extraction from a PNG image in a software supply-chain compromise, and malvertising campaigns impersonating software such as Node.js and Claude AI. It is also referenced in campaigns using trojanized installers, ZIP/LNK delivery, and script-based persistence.
DonutLoader is associated in the content with delivery of numerous malware families and frameworks, including ValleyRAT, CASTLESTEALER, Beagle, AgentTesla, StealC v2, XWorm, Remcos RAT, AdaptixC2 beacons, and LummaStealer-related operations. Specific examples include: a Triage-classified sample linked to ValleyRAT with C2 143.92.37.168:10086 and campaign date 2026-02-02; OXLOADER using DonutLoader to deliver CASTLESTEALER in memory; a fake Claude AI installer chain using DonutLoader to deploy the Beagle backdoor from claude-pro[.]com with C2 at license[.]claude-pro[.]com over TCP 443 or UDP 8080; JavaScript droppers abusing Scriptrunner.exe to launch DonutLoader that unpacked AgentTesla entirely in memory; hosting of DonutLoader at 62.60.226.248 where it injected StealC v2 into Chrome and Edge; and a FedEx-themed phishing chain where DonutLoader-like shellcode was injected into explorer.exe and connected to 204.10.160.190:7003 as XWorm.
The content links DonutLoader usage to multiple threat actors or clusters, though not as an exclusive tool of any one actor. It appears in reporting tied to ValleyRAT activity potentially associated with Silver Fox, GrayBravo logistics-themed campaigns, TeamPCP supply-chain activity, and LummaStealer delivery chains. Targeting described in the content spans software developers, enterprise users, shipping/logistics/maritime/procurement organizations, Windows users in the United States, and broader victims reached through malvertising, phishing, and fake software/update lures.
High-confidence indicators directly mentioned alongside DonutLoader activity include 143.92.37.168:10086 in ValleyRAT-related traffic; 62.60.226.248 hosting DonutLoader payloads; license[.]claude-pro[.]com and IP 8.217.190.58 in the Beagle campaign; and 204.10.160.190:7003 in the XWorm-related chain. Additional file and path indicators mentioned in DonutLoader-linked chains include NOVupdate.exe, avk.dll, NOVupdate.exe.dat, C:\Users\Public\Libraries<random>.exe, and %APPDATA%\Microsoft\Windows\Templates\dwm.cmd.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
...Velvet Tempest ... used a ClickFix lure ... to drop payloads like DonutLoader and CastleRAT.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
62[.]60[.]226[.]248 hosted the DonutLoader malware payload... a memory‑only loader that turns PE/.NET/DLL/script into shellcode and injects them into other processes.
MITRE ATT&CK Mapping Tactic Technique ID Application Execution PowerShell T1059.001 Invoke-WebRequest + Add-Type inline C#
Stage 2: JavaScript Execution via WSH Double-click triggers WScript.exe (Windows Script Host) Script begins deobfuscation through 4-layer chain
Persistence
1 technique
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
After unpacking the core archives, the malware moves into an advanced code injection stage.
MITRE ATT&CK Mapping Tactic Technique ID Application Execution Reflective Code Loading T1620 Donut decrypts + loads PE in-memory Defense Evasion Obfuscated Files: Embedded Payloads T1027.009 Chaskey-16 CTR encrypted Donut payloads Defense Evasion Masquerading: Legitimate Name T1036.005 Process named nsvchost.exe Defense Evasion Subvert Trust Controls T1553 Inline C# avoids pre-compiled AV detection Privilege Escalation Token Manipulation T1134.001 SeDebugPrivilege via AdjustTokenPrivileges Discovery Process Discovery T1057 CreateToolhelp32Snapshot for svchost.exe Lateral Movement Process Injection: DLL Injection T1055.001 VirtualAllocEx + WriteProcessMemory into svchost.exe
Stealth
11 techniques
Stealth
On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection...
...extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2...
The dropped PE is not AgentTesla itself but a DonutLoader shellcode packer. DonutLoader unpacks and executes the AgentTesla binary entirely in memory, leaving no additional artifacts on disk beyond the initial dropper.
extracts DonutLoader, a shellcode loader, from a PNG image present within the binary
MITRE ATT&CK Mapping Tactic Technique ID Application Execution Reflective Code Loading T1620 Donut decrypts + loads PE in-memory Defense Evasion Obfuscated Files: Embedded Payloads T1027.009 Chaskey-16 CTR encrypted Donut payloads
Attackers set up a convincing lookalike website to distribute a dangerous installer... The fake site, hosted at claude-pro[.]com, closely mirrors the look and feel of the real Claude website, using similar fonts and color schemes.
After unpacking the core archives, the malware moves into an advanced code injection stage.
MITRE ATT&CK Mapping Tactic Technique ID Application Execution Reflective Code Loading T1620 Donut decrypts + loads PE in-memory Defense Evasion Obfuscated Files: Embedded Payloads T1027.009 Chaskey-16 CTR encrypted Donut payloads Defense Evasion Masquerading: Legitimate Name T1036.005 Process named nsvchost.exe Defense Evasion Subvert Trust Controls T1553 Inline C# avoids pre-compiled AV detection Privilege Escalation Token Manipulation T1134.001 SeDebugPrivilege via AdjustTokenPrivileges Discovery Process Discovery T1057 CreateToolhelp32Snapshot for svchost.exe Lateral Movement Process Injection: DLL Injection T1055.001 VirtualAllocEx + WriteProcessMemory into svchost.exe
The program decodes these items at runtime via a simple single-byte mathematical conversion.
After dropping the PE payload to C:\Users\Public\Libraries\ , the dropper does not execute it directly. Instead, it invokes Scriptrunner.exe -appvscript <payload_path> , abusing the legitimate Microsoft App-V Scriptrunner binary as a Living-off-the-Land Binary (LOLBin).
Command and Control
4 techniques
Command and Control
The hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" ... to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
MITRE ATT&CK Mapping Tactic Technique ID Application Execution Reflective Code Loading T1620 Donut decrypts + loads PE in-memory Defense Evasion Obfuscated Files: Embedded Payloads T1027.009 Chaskey-16 CTR encrypted Donut payloads Defense Evasion Masquerading: Legitimate Name T1036.005 Process named nsvchost.exe Defense Evasion Subvert Trust Controls T1553 Inline C# avoids pre-compiled AV detection Privilege Escalation Token Manipulation T1134.001 SeDebugPrivilege via AdjustTokenPrivileges Discovery Process Discovery T1057 CreateToolhelp32Snapshot for svchost.exe Lateral Movement Process Injection: DLL Injection T1055.001 VirtualAllocEx + WriteProcessMemory into svchost.exe Collection Screen Capture T1113 GDI BitBlt screenshot Credential Access Credentials from Web Browsers T1555.003 Chrome/Edge/Brave/Opera/Vivaldi credential theft Credential Access Steal Web Session Cookie T1539 Cookie file theft from Chromium browsers Credential Access Credentials in Files T1552.001 OpenVPN auth.txt, crypto wallet files Command and Control Web Protocols T1071.001 HTTP C2 for payload delivery and exfiltration
IOCs tracked for this family
52 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A loader identified by Triage in the same sample chain as ValleyRAT.
An open-source shellcode generator/loader used in this campaign to deliver CASTLESTEALER entirely in memory.
A position-independent in-memory loader/shellcode used to launch the final payload directly in memory, shifting execution away from managed .NET toward a more portable, runtime-independent payload delivery model.
Open-source shellcode generator/loader used to wrap .NET assemblies, DLLs, and EXEs into position-independent shellcode for in-memory execution. In this campaign it is used as part of the delivery chain for CASTLESTEALER.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.