CroxLoader

Description

(Trend Micro) During the deployment of the second campaign, we found two different variants of CroxLoader with respective patterns of use. The first variant is commonly used when attackers use publicly facing applications as the entry point of attack. It decrypts the embedded payload and injects the decrypted payload into the remote process. Meanwhile, the second variant of CroxLoader is often deployed through spearphishing emails to lure victims into opening it. The variant used for each targeted victim depends on the applicable attack scenario.

Names

Name
CroxLoader

Category

Malware

Type

• Loader

Information

• https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.croxloader

Other Information

Uuid

0a348852-6b08-48af-afca-f5ecf962bd3a

Last Card Change

2023-06-22