Unraveling Not AZORult but Koi Loader: A Precursor to Koi Stealer

Did some analysis on #KoiLoader which ultimately led to #KoiStealer . Warning ⚠️It is not AZORult.

The blog: esentire.com/blog/unravelin…

eSentire Threat Intel

Unit 42 A #pcap of the #KoiLoader / #KoiStealer infection traffic and the associated malware samples are available at malware-traffic-analysis.net/2024/04/04/ind…

Brian McGough Unit 42 Thanks! I rummaged around and found one of those URLs for the bank-themed #KoiLoader / #KoiStealer zip archives.

AZORult? KoiStealer? I am so confused. What the heck is KoiStealer?

Detailed analysis of KOI Loader/Stealer.
#koiloader #koistealer

2024-04-04 (Thursday): We generated an infection in a lab environment based on the latest round of #KoiLoader / #KoiStealer activity. Initial bank-themed lures started earlier this week on 2024-04-02. Some indicators available at bit.ly/3PQut3r

#Unit42ThreatIntel

We have discovered another wave of banking theme campaign, which is active from dec 2023.
#koistealer #koiloader #malware #infostealer
CC Brad

\_(ʘ_ʘ)_/ We've been having a discussion about this, it's actually #KoiLoader / #KoiStealer . The AZORult identification is was based on an article from 2023, but the code and the traffic doesn't really match what we'd seen before with AZORult. Thread: twitter.com/RussianPanda9x…

RussianPanda 🐼 🇺🇦 Hello, Ann. There's this new kind of malware called KoiStealer that has popped up in the cyber world lately. It's a pretty nasty piece of software because not only does it steal information, but it also has a special liking for getting into cryptocurrency wallets.

RussianPanda 🐼 🇺🇦 Here is some more info: securityaffairs.com/144092/malware…

We have been tracking KoiLoader/KoiStealer as well. It's not very common, but it's a thing.