Donut
Donut is an open-source shellcode generation and in-memory loader framework for Windows payloads. The content describes it as position-independent code that can generate shellcode to load and execute .NET assemblies, PE files, EXEs, DLLs, VBScript, JScript, and other script-based payloads directly from memory, including outputs that execute via PowerShell, JavaScript/JScript, and Ruby. It is used to enable fileless execution, RWX memory allocation, reflective loading, and in-memory .NET assembly execution, and includes a DonutTest subproject for injecting shellcode into target processes.
The framework is explicitly described as patching AMSI, Windows Lockdown Policy (WLDP), and exit-related Native API functions to evade security tooling and avoid process termination. It can also erase in-memory file references to payloads after reflective loading and execution. Multiple reports in the content note Donut shellcode using Chaskey in CTR mode and bootstrapping the CLR by loading mscoree.dll, calling CLRCreateInstance, starting CLR version 4.0.30319, and invoking ExecuteInDefaultAppDomain.
The content shows Donut being used as a loader component across multiple intrusion chains rather than as the final payload itself. Reported examples include: delivery of PureLogs in a ClickFix campaign using malicious PowerShell, fileless execution, and in-memory .NET loading; use in SERPENTINE#CLOUD as the bridge between Python shellcode and .NET RAT payloads such as PureLogs, AsyncRAT, VenomRAT, Violet RAT, DcRat, XWorm, and PureHVNC; deployment by Sophos-tracked Operation Crimson Palace, where Cluster Charlie used Donut shellcode loaders to inject Havoc or Xiebro-related payloads into Windows processes; use in a fake Claude AI campaign where DLL sideloading led to Donut shellcode that loaded the Beagle backdoor; and use in the TencShell intrusion chain, where a disguised .woff resource contained Donut shellcode that reflectively loaded the final implant.
Observed execution and injection contexts in the content include in-memory loading inside RegAsm.exe, explorer.exe Early Bird APC injection, backgroundtaskhost.exe injection, and sideloading chains involving identity_helper.exe and msedge_elf.dll. The content also notes staged-delivery configurations in which Donut incorporates HTTP request/response handling to retrieve additional payloads.
High-confidence associated indicators in the content are campaign-specific rather than intrinsic to Donut itself. Examples directly tied to Donut-enabled chains include canndelta.com and related URLs/IPs in the PureLogs ClickFix campaign; gsenergyspeedtest.com, 141.136.44.219, 64.176.37.107, and 45.77.46.245 in Operation Crimson Palace; license.claude-pro.com and 8.217.190.58 in the Beagle campaign; and gin-tne-fahcesmukw.cn-hangzhou.fcapp.run with IPs 45.64.52.242, 192.238.134.166, and 45.115.38.27 in the TencShell intrusion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Donut is an opensource position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies. In this attack, Donut is used to decrypt and execute the Atlantida stealer inside RegAsm.exe process memory.
This decrypted payload is Donut (aka DonutLoader, aka donut_injector) shellcode – an open-source, in-memory loader.
The decrypted shellcode is a Donut loader -- a framework for generating position-independent shellcode from PE files, .NET assemblies, and other executable formats.
We decrypted these and found new malware, including DaveShell and Donut loader, which are two open source loaders being observed for first time in Tropic Trooper activity.
"...execute payloads based on Donut and the Covenant post-exploitation framework."
The script launches bb.exe , a "Donut Loader." ... CrazyHunter.sys is an encrypted shellcode made with the donut framework, and the bb.exe file is a loader.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
7 techniquesAPT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.
This research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer through malicious PowerShell commands.
Inside that file was Donut shellcode, an open-source tool capable of loading Windows payloads directly in memory
AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.
execute-assembly_windows.go Run .NET assemblies from memory... 0x2C DLL_LOAD Load DLL payload
Privilege Escalation
1 techniqueStealth
10 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
The dropper then retrieved what appeared to be a standard web font file with a .woff extension, the kind websites routinely use to load custom typefaces. Inside that file was Donut shellcode
The next stage involved retrieving Donut shellcode through a masqueraded .woff resource... By placing malicious content behind a font-looking path or extension, the attacker makes the payload request appear like a routine static web asset.
The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection.
The sideloaded DLL decrypts the encrypted payload in NOVupdate.exe.dat by reversing it and XORing it with the key... The malware then executes the decrypted shellcode
Atlantida abuses RegAsm.exe to proxy malicious code execution.
They also used anti-analysis methods, which suggests a “codebase continuity rather than a short-lived ‘smash-and-grab’ campaign.”
Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products. Donut can patch AMSI, WLDP, as well as exit-related Native API functions... Turla has used a AMSI bypass, which patches the in-memory amsi.dll.
After patching, Donut loads mscoree.dll , calls CLRCreateInstance to start the .NET CLR (v4.0.30319), and invokes ExecuteInDefaultAppDomain with the target class and method names stored in the instance.
The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection.
Credential Access
2 techniquesThis is a purpose-built Chromium browser credential stealer... The third stage queries each profile’s Login Data SQLite database... decrypts each password value with the recovered AES key, and writes results to per-browser CSV files.
The stealer embeds a complete SQLite database engine... targets browser user data directories... queries each profile’s Login Data database... decrypts each password value with the recovered AES key.
Discovery
2 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Command and Control
3 techniquesThe system profile is sent as a JSON payload via HTTP POST to /api/daemon... Command output is captured and POST-ed back to /api/result, completing the C2 loop.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Indicators of Compromise (IOC) List Domain : https://canndelta.com http://158.94.208.104/x7GkP2mQ9zL4/my_new_l.bin http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin
Other
2 techniquesIOCs tracked for this family
56 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
65 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Donut is used in this campaign as shellcode to enable fileless execution and in-memory .NET assembly loading, helping evade detection during delivery of the PureLogs stealer.
Donut is an open-source in-memory shellcode loader used in the attack chain to load Windows payloads reflectively into memory without writing them to disk, enabling stealthy execution of TencShell.
An open-source shellcode generation framework used here as an in-memory execution bridge between the staged payload and the final TencShell implant. It generates position-independent shellcode to load Windows payloads directly from memory.
An in-memory loader used in the infection chain to execute the final payload. The campaign reused the same XOR key across different Donut samples throughout the year.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.