Cybersecurity researchers have disclosed details about a new malware loader named QuirkyLoader, which has been active since late 2024. Delivered through spam email campaigns, it serves as a launchpad for an array of malicious payloads, including well-known threats such as Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT, Rhadamanthys Stealer, and Snake Keylogger. The loader uses DLL side-loading to deploy its payloads, a technique that abuses legitimate executables to trigger the malicious DLL, which then injects malware into system processes using process hollowing.
IBM X-Force reports that QuirkyLoader has been used in limited but concerning campaigns, most notably in Taiwan and Mexico. The Taiwan campaign specifically targeted employees of Nusoft Taiwan, a network security research firm, using Snake Keylogger to steal sensitive browser data, keystrokes, and clipboard content. In Mexico, the campaign appeared more opportunistic, delivering Remcos RAT and AsyncRAT to infected systems. Researchers note that QuirkyLoader is consistently written in .NET and compiled ahead of time into machine code, making detection more difficult.
The emergence of QuirkyLoader coincides with broader shifts in phishing tactics, particularly the rise of QR code-based phishing (quishing). Attackers are embedding malicious QR codes into emails—sometimes splitting or hiding them within legitimate ones—to evade filters. Victims scanning the codes with mobile devices are lured outside enterprise security perimeters, making them more vulnerable to attack. These techniques exploit the human trust in QR codes while sidestepping traditional security controls.
Adding to the landscape of phishing threats is the PoisonSeed phishing kit, which impersonates login services from trusted providers like Google, Mailchimp, and SendGrid. By validating email addresses in real-time and masking fake login prompts behind Cloudflare-like challenges, the kit allows attackers to capture credentials and two-factor authentication codes before using them in cryptocurrency scams. This blend of precision targeting and technical deception underscores a growing sophistication in credential theft campaigns.
For organizations in the healthcare and medical sector—where patient records, research data, and operational systems are prime targets—these developments highlight the importance of defense-in-depth strategies. Employees should receive training to recognize not just suspicious links but also malicious file attachments and QR codes. Multi-factor authentication should be paired with phishing-resistant methods, such as hardware security keys, to reduce risk from advanced kits like PoisonSeed. Finally, maintaining robust email filtering, endpoint monitoring, and rapid incident response processes is critical to safeguarding sensitive patient information and maintaining regulatory compliance in an increasingly hostile threat environment.
