Ragnar Loader
Ragnar Loader is a malware loader referenced in reporting as a command-and-control framework/loader used to provide persistent access and support ransomware operations. It has been mentioned alongside Brute Ratel C4 and in reporting that FIN7, FIN8, and other threat actors use Ragnar Loader for persistence and ransomware-related activity. The provided content does not include further high-confidence technical details on its infection vector, platform-specific behavior, or indicators of compromise.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations
FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations
FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware toolkit used for persistent access and to support long-term operations; used by multiple cybercrime/ransomware groups and associated with ransomware operations.
Loader/tooling referenced as part of the actor’s C2/post-compromise stack.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.