Aresloader

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
AresLoader is a type of malware that was first advertised for sale on the top-tier Russian-language hacking forum XSS in December 2022 by a threat actor named "DarkBLUP". This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, AresLoader can steal personal information, disrupt operations, or even hold data hostage for ransom. It creates a Registry AutoRun key to obtain and retain unauthorized access to the victim’s environment. The AresLoader panel is managed and hosted by the malware seller, with all builds communicating with a single server. The IP address used by AresLoader's server belongs to the autonomous system number (ASN) AS204603 and is registered as Partner LLC. Throughout 2023, the use of AresLoader expanded alongside several other malware families, including Nokoyawa and BlackBasta ransomware. These malware were obtained or purchased from FIN7 developers such as Minodo and Diceloader. Other new malware families that appeared during this period include Canyon, Vidar, and LummaC2. AresLoader has been identified as a backdoor/downloader, aiding in initial access or information stealing. IBM Security X-Force noted that crypters, applications designed to encrypt and obfuscate malware to evade detection, were being used to disseminate new malware strains like AresLoader. The development and deployment of AresLoader have been accompanied by some confusion due to the simultaneous development of other loaders like BlackSuit and Royal's close working relationship with BlackCat. Despite these challenges, AresLoader continues to be a significant threat. Its sellers have set up a Telegram channel to facilitate discussions related to the bot. Furthermore, Partner LLC, the entity hosting AresLoader's server, also hosts the "Shark" stealer panel, indicating support for other malicious infrastructures besides AresLoader.
What's your take? (Question 1 of 4)
565417b0-cd61-4fff-ac7d-d4ac85827573 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Loader
Malware
Maas
Telegram
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Aresloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CSO Online
a year ago
Russian hacktivists deploy new AresLoader malware via decoy installers
CERT-EU
a year ago
AresLoader Malware Attacking Citrix Users Through Malicious GitLab Repo
CERT-EU
a year ago
AresLoader Malware Attacking Citrix Users Through Malicious GitLab Repo
Flashpoint
a year ago
No title
CERT-EU
a year ago
AresLoader Malware Attacking Citrix Users Through Malicious GitLab Repo | IT Security News
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
BankInfoSecurity
10 months ago
Are Akira Ransomware's Crypto-Locking Malware Days Numbered?
CERT-EU
a year ago
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising