Loader
What is Loader?
LoaderMalware that prepares the environment and loads further payloads — often directly into memory — for a subsequent stage of an attack.
A loader is a specialized first-stage component whose primary job is to fetch, decode, and execute additional malware in memory, typically through reflective DLL injection, process hollowing or shellcode. It often profiles the host, deactivates defences, and establishes persistence before passing control to the next stage. Loaders are central to modern "malware-as-a-service" ecosystems, where access brokers sell installs to ransomware affiliates or info-stealer operators. Defences include EDR/XDR with behavioural detection of injection techniques, AMSI, Constrained Language Mode for PowerShell, application allow-listing, and threat intelligence on common loader families such as IcedID, Smoke Loader and Bumblebee.
● Examples
- 01
Bumblebee loader observed distributing Cobalt Strike and ransomware.
- 02
Smoke Loader / Dofoil, a long-running pay-per-install loader family.
● Frequently asked questions
What is Loader?
Malware that prepares the environment and loads further payloads — often directly into memory — for a subsequent stage of an attack. It belongs to the Malware category of cybersecurity.
What does Loader mean?
Malware that prepares the environment and loads further payloads — often directly into memory — for a subsequent stage of an attack.
How do you defend against Loader?
Defences for Loader typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Loader?
Common alternative names include: Malware loader, Stage-1 loader.