The Reveal Platform
Intel Name: Quirkyloader – a new malware loader delivering infostealers and rats
Date of Scan: August 26, 2025
Impact: High
Summary: QuirkyLoader is a newly observed malware loader, active since November 2024, used to deliver various infostealers and remote access trojans (RATs) like Agent Tesla, AsyncRAT, FormBook, Remcos, and others. The infection begins with phishing emails containing malicious archives. These archives include a legitimate executable, an encrypted payload, and a malicious DLL. QuirkyLoader uses DLL side-loading to load the DLL via the legitimate app, which then decrypts and injects the final malware. The DLL is written in .NET and compiled ahead-of-time (AOT), making it resemble a C/C++ binary to evade detection.
