D3F@ck Loader
D3F@CK Loader is a malware loader observed as a downstream payload/customer within the TAG-124/KongTuke traffic distribution and initial-access ecosystem. Multiple reports cited in the source material associate D3F@CK Loader with infrastructure or delivery chains linked to TAG-124, KongTuke, LandUpdate808, and Chaya_002, which abuse compromised WordPress sites, injected JavaScript, fake browser update pages, and ClickFix-style social engineering to drive Windows users into executing staged PowerShell or other commands that retrieve second-stage malware. Recorded Future and related reporting explicitly list D3F@CK Loader among the malware operators or customers using this shared distribution infrastructure, alongside Rhysida, Interlock, TA866/Asylum Ambuscade, SocGholish, and TA582. Separate reporting also states that FIN7 used D3F@CK Loader together with Redline Stealer in adult-themed AI-generator lure campaigns. High-confidence details in the provided content establish D3F@CK Loader as a loader used in multi-stage intrusion chains and tied to shared malicious distribution infrastructure, but the content does not provide deeper technical specifics on its internal functionality, persistence, or standalone command-and-control protocol. No malware-specific hashes or unique D3F@CK Loader IOCs are provided in the source material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
…the threat actor behind the malicious TDS also associated with SocGholish and D3F@ck Loader…
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Execution
2 techniques
Execution
Stealth
2 techniques
Stealth
The code isn’t very obfuscated, but the author uses base64 encoding at select portions to obscure domains or URLs.
While it’s not the case here, suspicious signing histories sometimes include tightly coupled creation times and signature dates, and they are first seen in the wild within minutes or seconds of these. Further, while the various internal names associated with the binary seem to be masquerading as Microsoft Teams (e.g., MC Teams.exe, etc.), the signer is “Neural Code Technologies Inc.” and not “Microsoft Corporation,” the expected signer for the real Microsoft Teams installer.
Defense Impairment
2 techniques
Defense Impairment
The chunk above is a bit of defense evasion code that the loader uses to exclude paths from Windows Defender scanning. In this sample, it produces a command you can see with endpoint telemetry: Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"
Despite the issuers’ validation procedures, we routinely detect malware that’s signed with legitimate code-signing certificates... Fortunately, there are many ways to differentiate suspicious or malicious signed binaries from legitimate ones... As you can see in the VirusTotal entry for the malicious binary referenced throughout this blog, the signature verification section now notes that while the file is signed with a valid signature, it has since been revoked.
Command and Control
3 techniques
Command and Control
It also leveraged the Java Windows app (javaw.exe) to make a network connection to a Pastebin site, which seems suspicious for a legit Microsoft Teams installer:
In the case of Telegram communication, it looks like the code tries to obtain base64 encoded content from an og:description HTML meta tag in a Telegram channel. I presume this would be similar to how some malware uses Steam profiles or other dead-drop techniques. Alongside the Telegram URL is a Pastebin URL that has already been taken down.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named loader operator/tool listed among KongTuke customers receiving infections.
Loader family mentioned as another malware served via the TAG-124 traffic distribution system; no additional technical details provided in the content.
Mentioned as malware associated with the KongTuke/TAG-124 ecosystem/infrastructure; no additional functional details provided in the content.
Named as malware associated with the KongTuke/TAG-124 ecosystem (per Recorded Future), indicating overlap with infrastructure used to profile/redirect victims and deliver payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.