Cybersecurity researchers have shared details about a new Malware-as-a-Service (MaaS) platform called ManticoraLoader, developed and distributed by DeadXInject, a threat group behind the AresLoader malware.
ManticoraLoader, a sophisticated malware loader written in C, is designed to be compatible with Windows 7 and later versions, including Windows Server. According to the researchers at Cyble, ManticoraLoader features advanced obfuscation techniques and an array of information-gathering capabilities, including a module specifically engineered to collect extensive information from infected devices. This data includes IP addresses, usernames, system languages, installed antivirus software, UUIDs, and date-time stamps.
The observed capabilities suggest that ManticoraLoader is designed not only to deploy additional malware but also to gather reconnaissance data, potentially for targeted attacks.
Researchers have traced the launch of ManticoraLoader back to the threat actor known as DeadXInject, who has previously been linked to other notorious malware families such as AresLoader and AiDLocker. The same alias, ‘DarkBLUP,’ which was used to advertise AresLoader on the XSS forum, has reappeared to promote ManticoraLoader.
The service is offered under a strict monthly rental fee of $500, with a client limit of just ten customers. The transaction process is handled either through the forum’s escrow service or via direct contact on Telegram or TOX.
Despite the emergence of ManticoraLoader, the researchers noted that AresLoader remains actively in use by cybercriminals, indicating that the AresLoader group continues to support multiple malicious tools concurrently.