Loader

A loader is a specialized first-stage component whose primary job is to fetch, decode, and execute additional malware in memory, typically through reflective DLL injection, process hollowing or shellcode. It often profiles the host, deactivates defences, and establishes persistence before passing control to the next stage. Loaders are central to modern "malware-as-a-service" ecosystems, where access brokers sell installs to ransomware affiliates or info-stealer operators. Defences include EDR/XDR with behavioural detection of injection techniques, AMSI, Constrained Language Mode for PowerShell, application allow-listing, and threat intelligence on common loader families such as IcedID, Smoke Loader and Bumblebee.