QakBot, SocGholish, and Raspberry Robin are the top three malware loaders most favored by cybercriminals, accounting for about 80% of observed attacks, researchers at ReliaQuest have found.

During the first seven months of the year, the QakBot loader (aka QBot, QuackBot, and Pinkslipbot) was responsible for 30% of the attacks, followed by SecGholish (27%) and Raspberry Robin (23%). The remaining most popular malware loaders include Googloader (3%), Chromeloader (2%), Guloader (2%), Ursnif (2%).

The researchers noted that even if a malware loader was detected, it doesn’t mean the targeted network was compromised. In the majority of cases they observed, the malware loader was detected and stopped early in the kill chain.

Initially designed as a banking trojan, QakBot has received new capabilities over time. Other than permitting initial access to targeted networks, QakBot delivers other remote-access payloads, steals sensitive data, and helps lateral movement and remote code execution.

QakBot is usually delivered via phishing emails and is most associated with the Black Basta, a ransomware group made up of former Conti and REvil members that use the loader for initial access and lateral movement within organizations’ networks.

SocGholish (aka Fake Update) is a JavaScript-based loader that targets Microsoft Windows-based environments. The malware is delivered via drive-by compromise. Visitors to a wide network of compromised websites are tricked into downloading “updates,” typically through outdated-browser prompts or other update lures for Microsoft Teams and Adobe Flash.

SocGholish was linked to the Evil Corp (aka Dridex gang) malware operation, and Exotic Lily, an initial access broker (IAB) active since at least September 2021.

Raspberry Robin is a highly elusive worm-turned-loader that targets Microsoft Windows environments. Allegedly created in 2019 and first spotted in September 2021, Raspberry Robin worm spreads via infected USB devices in a form of .LNK file. Raspberry Robin is another malware linked to the Russian cybercrime syndicate Evil Corps. Last year, Microsoft discovered the worm on the networks of hundreds of organizations including those in the technology and manufacturing sectors.

Raspberry Robin has also been used to deliver multiple ransomware and other malware variants, such as “Clop,” “LockBit,” “TrueBot,” and “Flawed Grace,” in addition to the Cobalt Strike tool. In 2023, Raspberry Robin operators have targeted financial institutions, telecommunications, government, and manufacturing organizations, mainly in Europe and the US.

“Based on recent trends, it’s highly likely that these loaders will continue to pose a threat to organizations in the mid-term future (3–6 months) and beyond. In the remainder of 2023, we can anticipate other developments in these loaders—whether in response to organizational mitigation or through collaboration among threat actors,” the researchers concluded.