New BunnyLoader Malware Variant Surfaces with Modular Assault Options

BunnyLoader Malware

Cybersecurity researchers have found an up to date variant of a stealer and malware loader referred to as BunnyLoader that modularizes its numerous capabilities in addition to permit it to evade detection.

“BunnyLoader is dynamically growing malware with the potential to steal data, credentials and cryptocurrency, in addition to ship further malware to its victims,” Palo Alto Networks Unit 42 said in a report revealed final week.

The brand new model, dubbed BunnyLoader 3.0, was introduced by its developer named Participant (or Player_Bunny) on February 11, 2024, with rewritten modules for information theft, lowered payload dimension, and enhanced keylogging capabilities.

BunnyLoader was first documented by Zscaler ThreatLabz in September 2023, describing it as malware-as-a-service (MaaS) designed to reap credentials and facilitate cryptocurrency theft. It was initially supplied on a subscription foundation for $250 per 30 days.


The malware has since undergone frequent updates which might be aimed toward evading antivirus defenses in addition to increasing on its information gathering capabilities, with BunnyLoader 2.0 launched by the tip of the identical month.

The third era of BunnyLoader goes a step additional by not solely incorporating new denial-of-service (DoS) options to mount HTTP flood assaults in opposition to a goal URL, but in addition splitting its stealer, clipper, keylogger, and DoS modules into distinct binaries.

“Operators of BunnyLoader can select to deploy these modules or use BunnyLoader’s built-in instructions to load their selection of malware,” Unit 42 defined.

An infection chains delivering BunnyLoader have additionally change into progressively extra subtle, leveraging a beforehand undocumented dropper to loader PureCrypter, which then forks into two separate branches.

Whereas one department launches the PureLogs loader to in the end ship the PureLogs stealer, the second assault sequence drops BunnyLoader to distribute one other stealer malware referred to as Meduza.

BunnyLoader Malware

“Within the ever altering panorama of MaaS, BunnyLoader continues to evolve, demonstrating the necessity for risk actors to ceaselessly retool to evade detection,” Unit 42 researchers stated.

The event comes amid the continued use of SmokeLoader malware (aka Dofoil or Sharik) by a suspected Russian cybercrime crew referred to as UAC-006 to target the Ukrainian authorities and monetary entities. It is recognized to be active since 2011.

As many as 23 phishing assault waves delivering SmokeLoader had been recorded between Could and November 2023, in response to an exhaustive report revealed by Ukraine’s State Cyber Safety Middle (SCPC).


“Primarily a loader with added information-stealing capabilities, SmokeLoader has been linked to Russian cybercrime operations and is available on Russian cybercrime boards,” Unit 42 said.

Including to BunnyLoader and SmokeLoader is a brand new data stealer malware codenamed GlorySprout, which is developed in C++ and supplied for $300 for a lifetime entry. In line with RussianPanda, the stealer is a clone of Taurus Stealer.

“A notable distinction is that GlorySprout, not like Taurus Stealer, doesn’t obtain further DLL dependencies from C2 servers,” the researcher said. “Moreover, GlorySprout lacks the Anti-VM function that’s current in Taurus Stealer.”

Notify of
Inline Feedbacks
View all comments
Previous Post
Hacking Email and Instagram Accounts

Ukraine Arrests Trio for Hijacking Over 100 Million E-mail and Instagram Accounts

Next Post
Russian Intelligence Targets Victims Worldwide in Rapid-Fire Cyberattacks

Russian Intelligence Targets Victims Worldwide in Fast-Hearth Cyberattacks

Related Posts