donut_injector

Also known as: Donut

Donut is an open-source in-memory injector/loader, designed for execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It was used during attacks against U.S. organisations according to Threat Hunter Team (Symantec) and U.S. Defence contractors (Unit42).

Github: https://github.com/TheWover/donut

C2 Infrastructure

Hosting/VPS95%

ISP/Residential5%

Last 7 days

Apr 14, 2026

C2 Hosts: 18

Apr 13, 2026

C2 Hosts: 11

Apr 12, 2026

C2 Hosts: 2

Apr 11, 2026

C2 Hosts: 9

Apr 9, 2026

C2 Hosts: 5

Apr 8, 2026

C2 Hosts: 1

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Apr 14, 2026	18
Apr 13, 2026	11
Apr 12, 2026	2
Apr 11, 2026	9
Apr 9, 2026	5
Apr 8, 2026	1

Further Reading

Malware AV evasion - part 8. Encode payload via Z85 algorithm. C++ example.

﷽

cocomelonc.github.io

Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware

Analysis of malicious infrastructure targeting Israeli entities via payloads delivered through compromised WordPress sites in 2023.

WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations

Attackers were preparing to attack dozens of U.S. corporations, including eight Fortune 500 companies.

symantec-enterprise-blogs.security.com

Donut - Injecting .NET Assemblies as Shellcode

TLDR: You can now inject .NET Assemblies into Windows processes using this repo: https://github.com/TheWover/donut/

thewover.github.io

The ClickFix Deception: How a Fake CAPTCHA Deploys an Evasive Infostealer

Swiss Post Cybersecurity detected and analyzed an infostealer campaign. The attackers use Clickfix for initial access and DonutLoader for shellcode delivery. In our blog article, we show you step b...

swisspost-cybersecurity.ch