BaoLoader
BaoLoader is malware associated with large-scale fake productivity application campaigns and malvertising activity. It is commonly presented as legitimate software such as PDF editors and other utility applications, distributed via sponsored search results, malicious advertisements, spearphishing links and attachments, and drive-by compromise. Reporting states that BaoLoader dominated observed threat activity during the September 1 to November 30, 2025 period.
Its core behavior includes abusing node.exe to execute malicious JavaScript for reconnaissance, in-memory command execution, and backdoor access. It uses fileless, multi-stage execution chains with built-in tools such as PowerShell, and employs heavy command obfuscation. Persistence commonly includes scheduled tasks designed to appear routine. BaoLoader also routes command-and-control traffic through legitimate cloud services to blend with normal outbound traffic. Related reporting on overlapping TamperedChef/BaoLoader campaigns also describes delayed activation, second-stage payload delivery, and downstream delivery of browser hijackers, adware, remote access trojans, infostealers, and proxy tooling.
A notable operational characteristic is extensive abuse of legitimate code-signing. Multiple sources state BaoLoader operators obtain valid code-signing certificates by registering legitimate businesses or shell companies, including entities in Panama and Malaysia, rather than stealing certificates. Content also links BaoLoader-related certificate activity to a GlobalSign GCC R45 EV CodeSigning CA 2020 sub-CA shared across shell entities in Israel, Ukraine, Panama, Malaysia, Estonia, and the United States. Additional reporting notes some related operators may be moving away from signing in certain cases.
The malware has global victimization with no strong sector-specific targeting reported in the provided content, though one report notes slightly higher volumes in Israel and the United States for overlapping fake-app activity. More broadly, the top targeted sectors during the cited 2025 reporting period were professional, scientific, and technical services, manufacturing, health care, technology, and construction. BaoLoader is also discussed in connection with browser hijacker campaigns, including malware that manipulates browser behavior and settings.
High-confidence infrastructure and indicators mentioned in the content include the domains calendaromatic.com, crystalpdf.com, meetrapidocapp.com, nesefurtherebe.com, onezipapp.com, and visitrapidoc.com, as well as the GlobalSign GCC R45 EV CodeSigning CA 2020 sub-CA serial 77BD0E05B7590BB61D4761531E3F75ED.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 technique
Stealth
Defense Impairment
1 technique
Defense Impairment
TamperedChef-style malware disguises itself as legitimate productivity apps ... distributed through malvertising and signed binaries with delayed activation for stealth. Common TTPs: legitimate code signing ... Operators rotate codebases and certificates frequently — some are moving away from signing entirely to evade tracking.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named loader referenced in relation to AppSuite certificate history; no technical detail is provided in the content beyond the name and association.
Signed malware/loader that uses legitimately obtained code-signing certificates to appear trustworthy, executes malicious JavaScript via node.exe for recon and in-memory command execution, provides backdoor access, and hides C2 traffic via legitimate cloud services.
Modular loader/backdoor associated with trust exploitation at scale, notably by using legitimately obtained code-signing certificates to make payloads appear trustworthy. Common behaviors described include Node.js (node.exe) execution of malicious JavaScript, fileless multi-stage execution, heavy PowerShell/JavaScript obfuscation, scheduled-task persistence, and C2 routed via legitimate cloud services. Distributed via malvertising, spearphishing attachments/links, and compromised websites.
Referenced as a campaign associated with increased volume of browser hijacker analysis; the content does not provide technical behavior details for BaoLoader itself beyond campaign association.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.