MalwareUsed by 1 actor

DoiLoader

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA2727

For TA2727, payloads are tailored... Windows typically receives DoiLoader and LummaStealer...

via silentpush blogsilentpush.com

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.002Spearphishing LinkEvidence1

TacticInitial Access

Messages contained URLs leading to a website instructing the recipient to sign a form and click “submit”. Then, the user would be redirected to a ClickFix landing page.

Execution

1 technique

T1204User ExecutionEvidence1

TacticExecution

"Victims are prompted to download and run a fake application..." and "instructions ... urges targets to run an executable file (\"setup.exe\")"

Stealth

1 technique

T1036MasqueradingEvidence1

TacticStealth

"threat actors are exploiting the situation to distribute Remcos RAT ... under the guise of providing a hotfix" and "phishing email impersonating CrowdStrike recruitment"

Collection

1 technique

T1560Archive Collected DataEvidence1

TacticCollection

If the target completed the ClickFix steps as instructed, a command was initiated to download a tar archive and run CastleLoader.

Command and Control

1 technique

T1105Ingress Tool TransferEvidence2

TacticCommand and Control

This macro downloaded a .bin file containing shellcode and executed it

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

silentpush blogNews

Aug 6, 2025

Unmasking SocGholish: Silent Push Untangles the Malware Web behind the “Pioneer of Fake Updates” and Its Operator, TA569

Windows loader referenced as a payload delivered in TA2727 campaigns associated with Keitaro TDS traffic flows discussed alongside SocGholish delivery chains.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.