Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Olymp Loader

Olymp Loader is a Malware-as-a-Service / Loader-as-a-Service offering first observed in June 2025 and advertised on underground forums and Telegram by the operator using the alias "OLYMPO." It was initially presented as an "Olymp Botnet" with a web panel, then pivoted in August 2025 to a loader-focused service and later added crypter functionality. The malware is marketed as fully written in assembly language and as "FUD," with emphasis on evading machine-learning and heuristic detection.

Advertised and observed capabilities include loading 32-bit, 64-bit, .NET, Java, and native payloads; persistence via auto-run behavior and Startup-folder shortcuts; privilege escalation via an aggressive UAC-flood technique; Windows Defender exclusion and, in some variants, Defender disablement/removal; XOR-encrypted modules and payloads; code signing; and LoadPE/code-cave style injection into legitimate programs. Early versions also included built-in stealer modules targeting browsers, Telegram, and cryptocurrency wallets. Reported wallet targets include Exodus, Electrum, Atomic, Guarda, Wasabi, Monero, BitcoinCore, and ZelCore. The browser stealer was reported as based on BrowserSnatch, and Telegram/stealer components used embedded proxy URLs for exfiltration, including reporting tied to IP 144.172.97.30 and binaries containing a PROXY marker.

Observed delivery and infection vectors include GitHub Releases assets, notably under PurpleOrchid65/Testing, and binaries masquerading as legitimate software such as Node.js, PuTTY, OpenSSL, Zoom, and the Classic Offensive Counter-Strike mod. Reported lure URLs include fastdownloads[.]live/dl/putty.exe, jjf[.]life/OpenSSL/build.exe, jjf[.]life/OpenSSL/ZoomClientSetup.exe, and classic-offensive[.]com/Installer.zip. Outpost24 also observed Olymp Loader executed with Amadey as the parent process, indicating use as a second-stage payload in some infections.

Post-infection payloads observed in the wild were predominantly commodity stealers and RATs, especially LummaC2, WebRAT/SalatStealer, QasarRAT, and Raccoon. One report cited sample proportions of LummaC2 at 46%, WebRAT/SalatStealer at 31%, QasarRAT at 15%, and Raccoon at 8%.

Olymp Loader is associated with cybercrime commercialization rather than a specific state actor. It has been promoted across forums including Hackforums, BHF, Lolz Guru, XSS, DarkForums, Niflheim, and Cardforum[.]cc, with Telegram accounts/channels including @OlympService_Support and previously @OlympLoader and @OlympLoader_Support. The project is notable for rapid iteration, modular design, and lowering the barrier for low- and mid-tier cybercriminals to deliver stealers and RATs.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
outpost24 blogNews
Jan 6, 2026
KrakenLabs Research Highlights 2025: The Shifts That Redefined the Threat Landscape

Loader and crypter malware offered as a commercial service, designed to evade detection and facilitate the delivery of other malicious payloads.

Read more
picus security blogNews
Nov 25, 2025
Olymp Loader: Emerging Malware-as-a-Service Threat in 2025

Olymp Loader is a Malware-as-a-Service (MaaS) platform that acts as a loader for other malware, a crypter with anti-analysis and anti-detection features, and includes stealer modules for browsers, Telegram, and cryptocurrency wallets. It is marketed as being written entirely in assembly for evasion and is advertised as Fully UnDetectable (FUD). It has evolved from a botnet to a dropper/loader with embedded, encrypted payloads and is used to deliver credential stealers and RATs.

Read more
scworldNews
Sep 30, 2025
New malware-as-a-service Olymp Loader shows rapid evolution

Malware-as-a-service loader written in assembly that delivers additional payloads and can include built-in stealer modules (Telegram, browser, and crypto wallet stealing). Uses multiple evasion techniques (e.g., code-cave injection, XOR encryption, Defender exclusions, code signing) and is often disguised as legitimate software.

Read more
the hacker newsNews
Sep 29, 2025
⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More

Olymp Loader is a malware-as-a-service loader written in assembly, distributed via GitHub and trojanized software, capable of delivering stealers and RATs. It is part of a bundled crimeware suite including a botnet and crypter.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.