Saturday, May 3, 2025
HomeCyber AttackRiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

Published on

SIEM as a Service

Follow Us on Google News

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol similar to RisePro for downloading and executing second-stage payloads. 

Despite RisePro’s development discontinuation in June 2024, RiseLoader’s emergence suggests a potential connection to the threat group behind RisePro and PrivateLoader. 

The malware often employs VMProtect for code obfuscation and has been observed distributing various malware families, including Vidar, Lumma Stealer, XMRig, and Socks5Systemz, aligning with PrivateLoader’s modus operandi. 

- Advertisement - Google News

It also collects information about cryptocurrency-related applications and browser extensions, further highlighting its malicious intent. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

RiseLoader network communication protocol
RiseLoader network communication protocol

Researchers analyzed RiseLoader malware and found it uses VMProtect packer and obfuscates strings related to debuggers and analysis tools, which are present but unused, suggesting potential future implementation of anti-analysis features that check for the presence of these tools. 

Unlike its relatives, RisePro and PrivateLoader, RiseLoader currently lacks stack-based string obfuscation techniques, which establish persistence by creating a mutex and randomly selecting a C2 server and communicating with it to receive commands and payload URLs. 

It creates multiple threads to handle these operations, including one to continuously check for and process C2 commands and another to download and execute payloads from the provided URLs. 

According to Zscaler, payloads are executed using appropriate methods, such as rundll32 for DLLs and process creation for executables and once all payloads are executed, RiseLoader terminates.

message types exchanged in both directions 
message types exchanged in both directions 

RiseLoader establishes a TCP connection with a C2 server, exchanging XOR keys for encrypted communication and sending system information and a unique identifier, where the server sends payload URLs and execution instructions. 

It downloads and executes these payloads, reporting back success or failure.

Both client and server periodically send KEEPALIVE messages to maintain the connection, where the server can force a shutdown or change the campaign ID.

 comparison of RiseLoader’s C2 handshake and RisePro’s handshake
 comparison of RiseLoader’s C2 handshake and RisePro’s handshake

By establishing an encrypted connection with its C2 server, it exchanges XOR keys for secure communication and then gathers system information and sends it to the server.

Upon receiving payload URLs, it downloads and executes them, potentially creating a registry key as an infection marker. 

After payload execution, it downloads a tracking pixel and terminates. The communication protocol shares similarities with RisePro, including a custom binary TCP-based protocol with encrypted JSON messages and a similar handshake process. 

While behavioral similarities and dropped malware families point to a connection, RiseLoader’s unique communication protocol strongly aligns with RisePro’s, as this shared protocol, including message structure, initialization, and payload format, further strengthens the evidence of a common origin. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Subscription-Based Scams Targeting Users to Steal Credit Card Information

Cybersecurity researchers at Bitdefender have identified a significant uptick in subscription-based scams, characterized by...

RansomHub Taps SocGholish: WebDAV & SCF Exploits Fuel Credential Heists

SocGholish, a notorious loader malware, has evolved into a critical tool for cybercriminals, often...

Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss

Cybersecurity researchers uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem...

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Subscription-Based Scams Targeting Users to Steal Credit Card Information

Cybersecurity researchers at Bitdefender have identified a significant uptick in subscription-based scams, characterized by...

RansomHub Taps SocGholish: WebDAV & SCF Exploits Fuel Credential Heists

SocGholish, a notorious loader malware, has evolved into a critical tool for cybercriminals, often...

Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss

Cybersecurity researchers uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem...