A malware loader is a type of malicious software designed to deliver and install other malware onto a target system. It acts as the first stage in an attack, opening the door for more dangerous payloads like ransomware, spyware, or banking trojans.
Loaders typically avoid detection by using stealth techniques, such as encrypting their code or mimicking legitimate software. Once they’re on a system, they connect to a command-and-control server and download the actual malware intended to carry out the attack.
In short: the loader sets the stage, the real threat comes afterward.
Well-known examples of malware loaders include:
- Emotet – Originally a banking trojan, later evolved into a powerful loader used to drop other malware like TrickBot and Ryuk ransomware.
- TrickBot – While known for its own malicious capabilities, it also functions as a loader, delivering ransomware and other payloads.
- Smoke Loader – A modular loader used to distribute various malware families, often sold as a service to other cybercriminals.
- QakBot (QBot) – Started as a banking trojan and evolved into a versatile loader. It spreads through phishing emails, steals credentials, moves laterally in networks, and delivers malware like ransomware. QakBot has been a key part of many large-scale cyberattacks.
These loaders are often part of broader cybercrime ecosystems and are used to gain initial access before deploying more damaging malware.