YouieLoader
YouieLoader is malware associated with the North Korean threat actor Moonstone Sleet. Based on the provided content, it functions as an intermediate loader used alongside SplitLoader and is capable of capturing victim system browser information. The content also attributes system owner/user discovery functionality to YouieLoader and states that Moonstone Sleet used loader malware such as YouieLoader to create malicious Windows services for execution. In the broader intrusion context described, Moonstone Sleet delivered malware through phishing and trojanized software, staged payloads on adversary-controlled VPS infrastructure, retrieved additional payloads over web protocols, and used persistence and execution mechanisms including Registry Run keys, scheduled tasks, and service creation. High-confidence details specific to YouieLoader from the content are that it is a Moonstone Sleet-deployed loader malware family that captures browser information from victim systems, performs user/system owner discovery, and is used in service-based execution chains.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Moonstone Sleet deployed malware such as YouieLoader capable of capturing victim system browser information.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueMoonstone Sleet used intermediate loader malware such as YouieLoader and SplitLoader that create malicious services.
Discovery
2 techniquesThe content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Loader malware capable of capturing browser information from victim systems.
Intermediate loader malware that creates malicious Windows services for execution/persistence.
Loader-type malware capable of capturing victim system browser information.
Loader capable of capturing victim system browser information.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.