IMAPLoader
IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at least 2022. IMAPLoader leverages email protocols for command and control and payload delivery.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .003 | Application Layer Protocol: Mail Protocols |
IMAPLoader uses the IMAP email protocol for command and control purposes.[1] |
| Enterprise | T1543 | Create or Modify System Process |
IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification.[1] |
|
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
IMAPLoader hides the Windows Console window created by its execution by directly importing the |
| Enterprise | T1574 | .014 | Hijack Execution Flow: AppDomainManager |
IMAPLoader is executed via the AppDomainManager injection technique.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
IMAPLoader is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems.[1] |
|
| Enterprise | T1106 | Native API |
IMAPLoader imports native Windows APIs such as |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
IMAPLoader creates scheduled tasks for persistence based on the operating system version of the victim machine.[1] |
| Enterprise | T1082 | System Information Discovery |
IMAPLoader uses WMI queries to gather information about the victim machine.[1] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
IMAPLoader uses WMI queries to query system information on victim hosts.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1012 | CURIUM |
IMAPLoader was deployed by CURIUM as a post-exploitation payload from strategic website compromise.[1] |