New ‘QuirkyLoader’ Malware Opens the Floodgates for Cyberattacks

A dangerous and sneaky new malware delivery tool, dubbed QuirkyLoader, has been quietly enabling hackers to infect computers worldwide since at least November 2024. Cybersecurity experts at IBM X-Force who uncovered the threat warn that this loader is being used in widespread email spam campaigns to drop a devastating variety of malicious software, from password-stealing programs to trojans that give attackers complete control over a victim’s machine.

The list of malware being delivered by QuirkyLoader reads like a who’s who of digital threats, including notorious families like Agent Tesla, AsyncRAT, Formbook, and Remcos RAT. These programs are designed for one purpose: to steal your most sensitive information, such as banking details, social media passwords, personal files, and even keystrokes typed in real-time.

How the Deception Works

The cybercriminals behind QuirkyLoader have crafted a clever, multi-stage attack that begins with a simple spam email. These emails, sent from both legitimate and custom-built servers to appear trustworthy, contain a compressed file attachment, such as a ZIP or RAR file. Inside this archive, an unsuspecting user will find what appears to be a normal, harmless executable program. However, hidden alongside it are a malicious library file (a DLL) and an encrypted bundle of harmful code.

The core of the trick is a technique known as DLL side-loading. When the user runs the legitimate program, it is tricked into loading the malicious DLL file as well. This malicious file then acts as the key, unlocking and injecting the final, dangerous payload into the memory of a common Windows process, such as AddInProcess32.exe or InstallUtil.exe. By hiding the malware inside a legitimate process, the attackers can often evade detection by antivirus software and other security tools that are looking for suspicious new programs, not misbehaving old ones.

To make their tool even harder to analyze, the hackers consistently write QuirkyLoader using modern .NET languages but compile it in a special way that makes it look like it was written in older, more fundamental languages like C or C++. This is another layer of misdirection designed to fool security researchers and automated defense systems.

Global Campaigns Target Companies and Citizens

While QuirkyLoader has been used sparingly over the past few months, recent campaigns in July 2025 show the attackers are ramping up their efforts. One highly targeted operation was aimed at employees of Nusoft Taiwan, a cybersecurity firm based in New Taipei City. The goal was to infect the company’s network with Snake Keylogger, a potent tool for siphoning off data from web browsers, recording keystrokes, and stealing information from the clipboard.

Another campaign targeting Mexico appeared to be more widespread and random, infecting ordinary citizens with the Remcos RAT and AsyncRAT trojans. These tools give attackers a remote backdoor into a victim’s computer, allowing them to steal files, spy through webcams, and use the infected machine to launch other attacks.

Phishing Scams Evolve Alongside Malware

The rise of QuirkyLoader is happening at the same time that hackers are innovating in other areas, particularly with phishing scams. Criminals are now heavily invested in quishing, or QR code phishing, because it’s so effective at bypassing security filters.

Attackers know that email security systems are great at scanning links but can’t “read” an image of a QR code. To make it even harder, they are now using tactics like splitting a single malicious QR code into two separate images or embedding a tiny, malicious QR code inside a larger, legitimate one. By tricking a user into scanning the code with their phone, the attackers move them off of a protected corporate network and onto their personal device, which may have fewer security protections, making it easier to steal their credentials.

This trend is further highlighted by a phishing toolkit used by a group called PoisonSeed. This group sends highly convincing emails that impersonate login pages for major services like Google, Mailchimp, and SendGrid. Their kit uses a unique method called “precision-validated phishing.” When a victim clicks a link, they are shown a fake security challenge, like a Cloudflare CAPTCHA. While the user is distracted, the system works in the background to verify that their email address is real and active. Once validated, the victim is presented with a pixel-perfect fake login page, ready to capture their username, password, and even two-factor authentication codes, giving the attackers full access to their accounts.