Intel Name: Discovery of previously unknown loader
Date of Scan: May 5, 2025
Impact: Medium
Summary: A new loader has been identified leveraging the Pascal scripting engine in Inno Setup. It is used to distribute infostealers such as LummaC2, DeerStealer, Rhadamanthys, and StealC. Typically spread via fake application websites, the loader features anti-VM capabilities, XOR-based string encryption, and retrieves payloads from TinyURL using an authentication token. Further payloads are commonly hosted on compromised WordPress sites.
