IMAPLoader
IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at least 2022. IMAPLoader leverages email protocols for command and control and payload delivery.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
IMAPLoader uses WMI queries to query system information on victim hosts.[1] |
|
| Enterprise | T1543 | 创建或修改系统进程 |
IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification.[1] |
|
| Enterprise | T1574 | .014 | 劫持执行流: AppDomainManager |
IMAPLoader is executed via the AppDomainManager injection technique.[1] |
| Enterprise | T1071 | .003 | 应用层协议: Mail Protocols |
IMAPLoader uses the IMAP email protocol for command and control purposes.[1] |
| Enterprise | T1106 | 本机API |
IMAPLoader imports native Windows APIs such as |
|
| Enterprise | T1082 | 系统信息发现 |
IMAPLoader uses WMI queries to gather information about the victim machine.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
IMAPLoader is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems.[1] |
|
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
IMAPLoader hides the Windows Console window created by its execution by directly importing the |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
IMAPLoader creates scheduled tasks for persistence based on the operating system version of the victim machine.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1012 | CURIUM |
IMAPLoader was deployed by CURIUM as a post-exploitation payload from strategic website compromise.[1] |