Last seven days
- First activity
- Jul 13, 2026
- Last activity
- Jul 13, 2026
- Feed role
- C2
- Host form
- 3 IP / 1 hostnames
PrivateLoader is a malicious loader family first identified in 2021 and commonly associated with pay-per-install distribution activity.
Profile source: Mallory opens in a new tabPrivateLoader
PrivateLoader is a malicious loader family first identified in 2021 and commonly associated with pay-per-install distribution activity. It is used to download and execute a wide range of follow-on malware, including stealers, RATs, spyware, rootkits, proxy bot malware, cryptominers, and ransomware. Reported payloads and associated malware families include RedLine, DCRat, RaccoonStealer, Lumma/LummaC2, RisePro, Amadey, StealC, Glupteba, Tofsee-related activity, Socks5Systemz, and STOP/DJVU ransomware. PrivateLoader has also been referenced in campaigns targeting the robotics industry.
Observed infection vectors include cracked or pirated software lures, fake installers, drive-by downloads, phishing or social distribution, file-sharing sites, and abuse of trusted hosting platforms such as Discord’s CDN for next-stage payload retrieval. In one documented multi-stage cracked-software campaign, a trojanized setup.exe masquerading as a Logitech installer launched PrivateLoader, which then communicated over HTTP with 185.216.70.235 and 195.20.16.45 using requests to /api/tracemap.php and /api/firegate.php, modified Chrome extension files resulting in the K Searches extension being added, and dropped Amadey payloads to C:\Users\admin\Pictures\Minor Policy\5RfuRxo3fpxiWkD42DRCixRe.exe and C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\J0KBFYBW\build2[1].exe.
PrivateLoader has been linked to broader cybercrime ecosystems rather than a single exclusive payload set. It has been described as powering or participating in pay-per-install services and has been used in campaigns tied to Water Orthrus/CopperPhish distribution, Glupteba delivery chains, Lumma infections, Socks5Systemz standalone deployment, and malware delivery via Discord CDN. High-confidence indicators directly mentioned in the content include the HTTP paths /api/tracemap.php and /api/firegate.php, the IPs 185.216.70.235 and 195.20.16.45, and a CopperPhish-chain PrivateLoader sample with SHA-256 48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9.
C2 tracking
Derp observations, rolling seven-day window
Samples
Reported operators
The campaign uses multiple malware families under a single operational umbrella: SHA256 (truncated) Filename Signature First Seen 95e30af4... PoisonX.exe PrivateLoader 2026-03-10
MITRE ATT&CK
Reporting
We've followed both halves of that pipeline for years: PrivateLoader and the pay-per-install service it was powering...
In September 2023, BitSight observed a shift in deployment tactics, with Socks5Systemz distributed as a standalone final payload via loaders such as Privateloader and Amadey.
The campaign uses multiple malware families under a single operational umbrella: SHA256 (truncated) Filename Signature First Seen 95e30af4... PoisonX.exe PrivateLoader 2026-03-10
Other known malware involved in robotics industry cyberattack campaigns include... PrivateLoader
...Tofsee, the latter of which has been propagated via a C++-based loader called PrivateLoader in the past.
RisePro最早在2022年末引起关注,当时使用一种名为PrivateLoader的按安装次数付费的恶意软件下载服务进行传播。
"This tactic was observed with several popular malware loaders, including Smokeloader, PrivateLoader and Amadey, which use Discord’s CDN to download next-stage payloads."
This infection chain often starts with a PrivateLoader or SmokeLoader infection that loads other malware families, then loads Glupteba.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.