Tracking the Rise of ManticoraLoader Malware: A Closer Look at the Latest MaaS Threat

A new malware-as-a-service (MaaS) called ManticoraLoader has emerged on the cybercriminal scene, being distributed by the alias ‘DarkBLUP’ on the XSS forum. This alias was previously associated with distributing malware from the DeadXInject group, including the AresLoader malware and AiDLocker ransomware.

Offered on DeadXInject’s Telegram channel since August 8, 2024, ManticoraLoader is a versatile and potent tool for cybercriminal operations. Compatible with Windows 7 and later versions, including Windows Server, this malware variant can target a wide range of systems still in use today.

One of the key features of ManticoraLoader is its ability to gather extensive information from infected devices, such as IP address, username, system language, installed antivirus software, UUID, and date-time stamps. This data is then sent back to a centralized control panel, allowing threat actors to profile victims and customize their attacks.

The loader’s modular design enables easy extension of functionalities upon request, making it adaptable to various malicious objectives. It also employs sophisticated obfuscation techniques to evade detection, with a reported detection rate of 0/39 on Kleenscan.

The threat actors behind ManticoraLoader have implemented a strict transaction process, limiting clients to 10 and offering the service through the forum’s escrow service or direct contact via Telegram or TOX. Priced at $500 per month, this MaaS is designed to generate a steady stream of revenue for cybercriminals.

While the researchers are unsure why DarkBLUP remained inactive for over a year, they suggest that the group is expanding their arsenal with ManticoraLoader to diversify their offerings and increase monetization. As AresLoader continues to be widely used, it appears that the group is not abandoning their previous projects but rather evolving their malicious activities.