D3F@ck Loader
D3F@ck Loader is a commodity malware loader used to stage and deliver follow-on payloads. The provided reporting links it to the KongTuke initial access and traffic distribution ecosystem, where it is described as one of several loaders used to deliver additional malware after victim compromise. Recorded Future and related reporting associate D3F@ck Loader with malicious TDS infrastructure built on compromised WordPress sites and social-engineering lures such as fake browser updates and ClickFix-style chains. The malware is referenced as part of a shared downstream ecosystem that has also involved operators associated with Rhysida and Interlock ransomware, SocGholish, TA866/Asylum Ambuscade, and TA582. Reporting also states KongTuke sells infections to loader operators including D3F@CK Loader. Separately, Silent Push reported that FIN7 used Redline Stealer and D3F@ck Loader in adult-themed AI-generator lure campaigns. High-confidence details in the provided content characterize D3F@ck Loader primarily as a loader used for follow-on payload delivery rather than as a final payload itself; no specific standalone capabilities, infection vector unique to the loader, or direct IOCs for D3F@ck Loader are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
KongTuke has also been seen using a wider kit, including WinPython, Node.js, finger.exe, a fake NexShield browser extension, the encrypted GateKeeper .NET payload, and loaders like MintsLoader and D3F@ck Loader.
KongTuke has also been seen using a wider kit, including WinPython, Node.js, finger.exe, a fake NexShield browser extension, the encrypted GateKeeper .NET payload, and loaders like MintsLoader and D3F@ck Loader.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Execution
2 techniques
Execution
In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command... Once a command is executed, a multi-stage PowerShell chain downloads and unpacks a portable WinPython environment and launches the ModeloRAT Python scripts.
ClickFix... fake error or fake CAPTCHA tests to trick users into pasting malicious scripts into the Windows Run dialog... FileFix... manually pasting and executing malicious commands... CrashFix... trick them into manually executing code... In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command.
Stealth
2 techniques
Stealth
The code isn’t very obfuscated, but the author uses base64 encoding at select portions to obscure domains or URLs.
While it’s not the case here, suspicious signing histories sometimes include tightly coupled creation times and signature dates, and they are first seen in the wild within minutes or seconds of these. Further, while the various internal names associated with the binary seem to be masquerading as Microsoft Teams (e.g., MC Teams.exe, etc.), the signer is “Neural Code Technologies Inc.” and not “Microsoft Corporation,” the expected signer for the real Microsoft Teams installer.
Defense Impairment
2 techniques
Defense Impairment
The chunk above is a bit of defense evasion code that the loader uses to exclude paths from Windows Defender scanning. In this sample, it produces a command you can see with endpoint telemetry: Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
Despite the issuers’ validation procedures, we routinely detect malware that’s signed with legitimate code-signing certificates... Fortunately, there are many ways to differentiate suspicious or malicious signed binaries from legitimate ones... As you can see in the VirusTotal entry for the malicious binary referenced throughout this blog, the signature verification section now notes that while the file is signed with a valid signature, it has since been revoked.
Command and Control
3 techniques
Command and Control
It also leveraged the Java Windows app (javaw.exe) to make a network connection to a Pastebin site, which seems suspicious for a legit Microsoft Teams installer:
In the case of Telegram communication, it looks like the code tries to obtain base64 encoded content from an og:description HTML meta tag in a Telegram channel. I presume this would be similar to how some malware uses Steam profiles or other dead-drop techniques. Alongside the Telegram URL is a Pastebin URL that has already been taken down.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A loader referenced as part of the broader KongTuke/Woodgnat malware kit used to vary delivery methods.
A malware loader used by KongTuke to deliver additional payloads.
A commodity loader used to stage follow-on payloads in Woodgnat-linked attack chains.
A commodity loader used in Woodgnat attack chains to stage follow-on payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.