DoiLoader

DOILoader, also referred to in the provided content as IDAT Loader or HijackLoader, is a malware loader used to execute encrypted follow-on payloads via DLL side-loading. In the observed activity, threat actors bundled trojanized DLLs with legitimate signed applications so that execution of the benign program side-loaded DOILoader, which then decrypted and launched the next-stage malware from an included encrypted file. Reported examples include a trojanized PYTHON27.DLL side-loaded by a renamed legitimate Ace Stream executable to execute an encrypted payload in Vos.xwtx and run zgRAT, and a trojanized DLL bundled with the signed application Rene.E Facebook Widget to load Lumma Stealer encoded in an m4a file. Proofpoint also described ClearFake activity in which a trojanized DLL using DOILoader loaded Lumma Stealer from an encrypted file extracted from a ZIP archive.

The malware is associated in the content with multiple financially motivated delivery clusters and campaigns. It was observed in malware chains tied to TA2727, where Windows users were typically served DOILoader and Lumma Stealer through fake browser update lures on compromised websites, with traffic routed by TA2726. It also appeared in broader activity sets that delivered XWorm, Amadey, zgRAT, NetSupport, and Lumma Stealer, including reservation-themed DanaBot-linked campaigns and Lovable-hosted malware delivery chains. Infection vectors directly mentioned include fake secure download pages, fake browser update pages, compromised websites with malicious injects, and archives containing legitimate executables plus trojanized DLL dependencies.

High-confidence indicators and artifacts directly mentioned in the content include the encrypted payload file Vos.xwtx, the trojanized PYTHON27.DLL, bundled m4a-encoded payload storage, and one command-and-control endpoint associated with a DOILoader-to-zgRAT chain: 84[.]32[.]41[.]163:7705.