Cyber Security News

New ManticoraLoader – Malware Attacking Citrix Users To Steal Data

Cyble Research & Intelligence Labs has recently found information about a new type of malware-as-a-service (MaaS) called ‘ManticoraLoader’ in some underground forums.

Since August 8, 2024, on forums and Telegram, this MaaS service has been offered by the threat group “DeadXInject.”

Advertisement on the Telegram (Source – Cyble)

These actors were also behind the development of the “AresLoader” malware and went after Citrix users back in April 2023. Besides this, they are also connected to the “AiDLocker” ransomware from late 2022.

ManticoraLoader is a C-based malware and researchers identified that it has been actively attacking Citrix users to steal data.

Technical Analysis

ManticoraLoader is intended for the Windows platform starting from Windows 7 and further which includes Windows Server too, so it can be very well aimed at various computers.

There is a specific module in the system, which is responsible for gathering information from infected devices, which it transmits back to a centralized control panel. Here below we have mentioned the details it gathers:-

  • IP addresses
  • Usernames
  • System language
  • Installed antivirus software
  • UUIDs
  • Date-time stamps

This information helps the attackers to understand the victim, strategize the next attacks, and ensure that the seized system stays compromised.

It must be noted, that there is a modular aspect to this ManticoraLoader, in that any further features may be inducted on request, which enhances its adaptability to various malicious objectives.

TA’s post on the XSS forum (Source – Cyble)

Besides this, it includes advanced techniques of obfuscation in order to evade detection, which was reported to have a detection rate of 0/39 on Kleenscan.

The loader has the provision to place files in auto-start locations which helps in achieving persistence and is offered at a monthly rental fee of $500, with exclusivity only offered to 10 clients.

Sample of panel interface (Source – Cyble)

The deals are done through the forum’s escrow service or directly using Telegram or TOX.

According to the Report, The loader’s stealth is additionally illustrated with a video demonstrating that the 360 Total Security sandboxing solution is not able to detect it.

Apart from ManticoraLoader, the AresLoader is still actively being used by threat actors.

Threat actors behind AresLoader, DarkBLUP announced the new MaaS, ManticoraLoader possibly to further monetize their success. 

Despite their inactivity for over a year, the advertised features of ManticoraLoader appear similar to AresLoader. 

However, if their claims of improved features are true, this could pose a challenge in detecting stealer and botnet infections, as seen with AresLoader.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

White House Considers Oracle-Led Takeover of TikTok with U.S. Investors

In a significant development, the Trump administration is reportedly formulating a plan to prevent a…

22 minutes ago

Critical Vulnerability in IBM Security Directory Enables Session Cookie Theft

IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory Integrator…

47 minutes ago

Critical Apache Solr Vulnerability Grants Write Access to Attackers on Windows

A new security vulnerability has been uncovered in Apache Solr, affecting versions 6.6 through 9.7.0.…

53 minutes ago

GitHub Vulnerability Exposes User Credentials via Malicious Repositories

A cybersecurity researcher recently disclosed several critical vulnerabilities affecting Git-related projects, revealing how improper handling…

1 hour ago

Critical Isolation Vulnerability in Intel Trust Domain Extensions Exposes Sensitive Data

Researchers from IIT Kharagpur and Intel Corporation have identified a significant security vulnerability in Intel…

1 hour ago

Burp Suite 2025.1 Released, What’s New!

Burp Suite 2025.1, is packed with new features and enhancements designed to improve your web…

5 hours ago