Skip to content
Malware family

PrivateLoader

PrivateLoader is a malicious loader family first identified in 2021 and commonly associated with pay-per-install distribution activity.

Profile source: Mallory opens in a new tab

PrivateLoader

Family profile

PrivateLoader is a malicious loader family first identified in 2021 and commonly associated with pay-per-install distribution activity. It is used to download and execute a wide range of follow-on malware, including stealers, RATs, spyware, rootkits, proxy bot malware, cryptominers, and ransomware. Reported payloads and associated malware families include RedLine, DCRat, RaccoonStealer, Lumma/LummaC2, RisePro, Amadey, StealC, Glupteba, Tofsee-related activity, Socks5Systemz, and STOP/DJVU ransomware. PrivateLoader has also been referenced in campaigns targeting the robotics industry.

Observed infection vectors include cracked or pirated software lures, fake installers, drive-by downloads, phishing or social distribution, file-sharing sites, and abuse of trusted hosting platforms such as Discord’s CDN for next-stage payload retrieval. In one documented multi-stage cracked-software campaign, a trojanized setup.exe masquerading as a Logitech installer launched PrivateLoader, which then communicated over HTTP with 185.216.70.235 and 195.20.16.45 using requests to /api/tracemap.php and /api/firegate.php, modified Chrome extension files resulting in the K Searches extension being added, and dropped Amadey payloads to C:\Users\admin\Pictures\Minor Policy\5RfuRxo3fpxiWkD42DRCixRe.exe and C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\J0KBFYBW\build2[1].exe.

PrivateLoader has been linked to broader cybercrime ecosystems rather than a single exclusive payload set. It has been described as powering or participating in pay-per-install services and has been used in campaigns tied to Water Orthrus/CopperPhish distribution, Glupteba delivery chains, Lumma infections, Socks5Systemz standalone deployment, and malware delivery via Discord CDN. High-confidence indicators directly mentioned in the content include the HTTP paths /api/tracemap.php and /api/firegate.php, the IPs 185.216.70.235 and 195.20.16.45, and a CopperPhish-chain PrivateLoader sample with SHA-256 48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 13, 2026
Last activity
Jul 13, 2026
Feed role
C2
Host form
3 IP / 1 hostnames

Leading locations

  • RU2
  • AT1
  • CA1

Leading providers

  • JSC TIMEWEB2
  • Team Internet AG1

Infrastructure traits

  • Hosting 3

Samples

Recent associated samples

Reported operators

Threat actors

1 named in public reporting
Silver Fox

The campaign uses multiple malware families under a single operational umbrella: SHA256 (truncated) Filename Signature First Seen 95e30af4... PoisonX.exe PrivateLoader 2026-03-10

MITRE ATT&CK

PrivateLoader in ATT&CK

7 distinct techniques

Reporting

Research mentioning PrivateLoader

Jun 24
Bitsight

Bitsight Aids Disruption Efforts on Amadey & StealC Malware | Bitsight

We've followed both halves of that pipeline for years: PrivateLoader and the pay-per-install service it was powering...

Mar 30
Synthient

ProxyBox: Socks5Systemz Lives On | Synthient

In September 2023, BitSight observed a shift in deployment tactics, with Socks5Systemz distributed as a standalone final payload via loaders such as Privateloader and Amadey.

Mar 12
Breakglass Intel

MalwareBazaar Said Emotet. It Was a Chinese RAT Hiding Inside a Video Game. - Breakglass Intelligence - Breakglass Intelligence

The campaign uses multiple malware families under a single operational umbrella: SHA256 (truncated) Filename Signature First Seen 95e30af4... PoisonX.exe PrivateLoader 2026-03-10

Dec 9
Dark Reading

Analysts Warn of Cybersecurity Risks in Humanoid Robots

Other known malware involved in robotics industry cyberattack campaigns include... PrivateLoader

Oct 3
The Hacker News

Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer

...Tofsee, the latter of which has been propagated via a C++-based loader called PrivateLoader in the past.

Mar 26
Cert 360 Cn

安全事件周报 2024-03-18 第12周 - 360CERT

RisePro最早在2022年末引起关注,当时使用一种名为PrivateLoader的按安装次数付费的恶意软件下载服务进行传播。

Feb 13
Intel471

How Discord is Abused for Cybercrime | Intel 471

"This tactic was observed with several popular malware loaders, including Smokeloader, PrivateLoader and Amadey, which use Discord’s CDN to download next-stage payloads."

Feb 12
Palo Alto Networks Unit 42

Diving Into Glupteba's UEFI Bootkit

This infection chain often starts with a PrivateLoader or SmokeLoader infection that loads other malware families, then loads Glupteba.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.