Unveiling Evasive Loaders: Insights from Threat Research Labs

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 17, 2025 2 min read

Loader Analysis

LevelBlue Labs recently identified a new malware named "SquidLoader," primarily targeting Chinese organizations. The loader is distributed via phishing emails containing executable files disguised as documents. One notable sample had a filename related to Huawei industrial products, luring users to open it. The malware's design employs evasion techniques to avoid detection, making it particularly effective against its targets.

XOR decoding
Image courtesy of LevelBlue Labs

The malware downloads and executes a shellcode payload through an HTTPS GET request to a disguised URI. These loaders are designed to be stealthy, executing code in memory to avoid detection from traditional security measures.

Most observed samples used an expired certificate from Hangzhou Infogo Tech Co., Ltd. to appear legitimate. The command and control (C&C) servers utilize self-signed certificates, thereby further obscuring the malware's operations.

Defense Evasion Techniques

SquidLoader employs a variety of techniques to evade detection:

  • Obscure Instructions: The binary includes pointless x86 instructions that do not contribute to functionality, possibly to confuse antivirus software.
  • Encrypted Code Sections: The malware loads encrypted shellcode into memory, decrypting it during execution while embedding decoy instructions to mislead analysts.
  • In-Stack Encrypted Strings: Keywords associated with malicious activity are encrypted in memory, which helps conceal sensitive information.

useless instructions
Image courtesy of LevelBlue Labs

  • Return Address Obfuscation: Manipulating the stack during execution leads to misleading return addresses, complicating analysis.
  • Control Flow Graph Obfuscation: The malware flattens its control flow graph into infinite loops, further complicating reverse engineering efforts.

Delivered Payload

The primary payload delivered by SquidLoader is a modified version of Cobalt Strike, which is a well-known penetration testing tool that has been repurposed for malicious use. This variant of Cobalt Strike performs HTTP requests mimicking legitimate traffic to exfiltrate data while evading detection.

cnc sample
Image courtesy of LevelBlue Labs

When executed, the payload verifies the C&C server's response and collects system information, including usernames and IP addresses, which it sends back in encrypted form.

Detection Methods

To combat threats like SquidLoader, organizations should implement advanced detection methods. LevelBlue Labs suggests tuning detection engines using indicators of compromise (IOCs) associated with this malware.

For continuous protection against evolving malware threats like SquidLoader, it's essential to stay informed and proactive.

Explore our services at [undefined] or contact us for more information on how we can help you secure your environment against sophisticated threats.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article