Wednesday, May 21, 2025
HomeCyber AttackRiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

Published on

SIEM as a Service

Follow Us on Google News

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol similar to RisePro for downloading and executing second-stage payloads. 

Despite RisePro’s development discontinuation in June 2024, RiseLoader’s emergence suggests a potential connection to the threat group behind RisePro and PrivateLoader. 

The malware often employs VMProtect for code obfuscation and has been observed distributing various malware families, including Vidar, Lumma Stealer, XMRig, and Socks5Systemz, aligning with PrivateLoader’s modus operandi. 

- Advertisement - Google News

It also collects information about cryptocurrency-related applications and browser extensions, further highlighting its malicious intent. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

RiseLoader network communication protocol
RiseLoader network communication protocol

Researchers analyzed RiseLoader malware and found it uses VMProtect packer and obfuscates strings related to debuggers and analysis tools, which are present but unused, suggesting potential future implementation of anti-analysis features that check for the presence of these tools. 

Unlike its relatives, RisePro and PrivateLoader, RiseLoader currently lacks stack-based string obfuscation techniques, which establish persistence by creating a mutex and randomly selecting a C2 server and communicating with it to receive commands and payload URLs. 

It creates multiple threads to handle these operations, including one to continuously check for and process C2 commands and another to download and execute payloads from the provided URLs. 

According to Zscaler, payloads are executed using appropriate methods, such as rundll32 for DLLs and process creation for executables and once all payloads are executed, RiseLoader terminates.

message types exchanged in both directions 
message types exchanged in both directions 

RiseLoader establishes a TCP connection with a C2 server, exchanging XOR keys for encrypted communication and sending system information and a unique identifier, where the server sends payload URLs and execution instructions. 

It downloads and executes these payloads, reporting back success or failure.

Both client and server periodically send KEEPALIVE messages to maintain the connection, where the server can force a shutdown or change the campaign ID.

 comparison of RiseLoader’s C2 handshake and RisePro’s handshake
 comparison of RiseLoader’s C2 handshake and RisePro’s handshake

By establishing an encrypted connection with its C2 server, it exchanges XOR keys for secure communication and then gathers system information and sends it to the server.

Upon receiving payload URLs, it downloads and executes them, potentially creating a registry key as an infection marker. 

After payload execution, it downloads a tracking pixel and terminates. The communication protocol shares similarities with RisePro, including a custom binary TCP-based protocol with encrypted JSON messages and a similar handshake process. 

While behavioral similarities and dropped malware families point to a connection, RiseLoader’s unique communication protocol strongly aligns with RisePro’s, as this shared protocol, including message structure, initialization, and payload format, further strengthens the evidence of a common origin. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...

RedisRaider Campaign Targets Linux Servers by Exploiting Misconfigured Redis Instances

Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed "RedisRaider," specifically targeting...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...