Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 3 actors

MonikerLoader

MonikerLoader is a heavily obfuscated, .NET-based loader used by the Check Point-tracked APT cluster “Silver Dragon,” assessed as operating under the China-linked APT41 umbrella. It has been observed in campaigns targeting primarily government entities in Europe and Southeast Asia since at least mid-2024.

MonikerLoader’s primary role in the intrusion chain is to decrypt and execute a second-stage loader directly in memory (reflective/in-memory loading), which then proceeds to load the final payload. In observed cases, the final payload delivered via this chain is a Cobalt Strike beacon (described as cracked variants), with C2 configurations including DNS tunneling, HTTP (including infrastructure fronted by Cloudflare), and SMB for intra-network communications.

Delivery/execution context (as reported): MonikerLoader is dropped via a RAR archive containing a batch script/installer as part of an AppDomain hijacking chain. The archive includes components such as dfsvc.exe.config and a malicious DLL (ServiceMoniker.dll) that redirects execution when dfsvc.exe runs. Execution is triggered by deleting/recreating legitimate services (e.g., DfSvc; also similar abuse of tzsync.exe was noted). MonikerLoader has been described as using a Brainfuck-based string decryption routine, and decrypting the second-stage (e.g., ComponentModel.dll) using an ADD-XOR routine before loading it into memory. Older variants reportedly stored encrypted second-stage data in the Windows Registry under HKLM\Software\Microsoft\Windows.

No standalone network indicators (domains/IPs/hashes) were provided in the supplied content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT41

MonikerLoader is a .NET-based loader... Its primary purpose is to decrypt and execute a second-stage loader directly in memory... We identified the final payload as a Cobalt Strike beacon.

via checkpoint research blogresearch.checkpoint.com
Silver Dragon

"The group leverages heavily obfuscated loaders such as MonikerLoader and BamboLoader to decrypt and inject payloads in memory..."

via security affairssecurityaffairs.com
APT17

MonikerLoader is a .NET-based loader... Its primary purpose is to decrypt and execute a second-stage loader directly in memory... We identified the final payload as a Cobalt Strike beacon.

via checkpoint research blogresearch.checkpoint.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1190Exploit Public-Facing ApplicationEvidence2

"Silver Dragon gains its initial access by exploiting public-facing internet servers..." ... "deployed following the compromise of publicly exposed vulnerable servers."

T1566.001Spearphishing AttachmentEvidence1

"The group gains initial access by exploiting public-facing servers and sending phishing emails with malicious attachments." ... "weaponized LNK attachments."

Execution

4 techniques
T1204.002Malicious FileEvidence1

"The attack chain rely on ... weaponized LNK attachments."

T1569.002Service ExecutionEvidence1

“The batch script then deletes and recreates the legitimate DfSvc service to force a new execution of dfsvc.exe…” and “registers the BamboLoader to run as a Windows service…”

T1574.001DLLEvidence1

"The attack chain rely on ... malicious service DLL deployment"

T1574.014AppDomainManagerEvidence1

“This chain, deployed by abusing AppDomain Hijacking (T1574.014)… dfsvc.exe.config file overwrites the AppDomain entry point, redirecting execution to MonikerLoader.”

Persistence

1 technique
T1543.003Windows ServiceEvidence2

"It maintains persistence by hijacking legitimate Windows services" ... "hijack legitimate Windows services for persistence"

Privilege Escalation

2 techniques
T1055Process InjectionEvidence1

"...decrypt and inject payloads in memory" ... "including ... injected processes."

T1543.003Windows ServiceEvidence2

"It maintains persistence by hijacking legitimate Windows services" ... "hijack legitimate Windows services for persistence"

Stealth

6 techniques
T1027Obfuscated Files or InformationEvidence2

"The group leverages heavily obfuscated loaders such as MonikerLoader and BamboLoader to decrypt and inject payloads in memory"

T1055Process InjectionEvidence1

"...decrypt and inject payloads in memory" ... "including ... injected processes."

T1140Deobfuscate/Decode Files or InformationEvidence2

"...obfuscated loaders such as MonikerLoader and BamboLoader to decrypt and inject payloads in memory"

T1574.001DLLEvidence1

"The attack chain rely on ... malicious service DLL deployment"

T1574.014AppDomainManagerEvidence1

“This chain, deployed by abusing AppDomain Hijacking (T1574.014)… dfsvc.exe.config file overwrites the AppDomain entry point, redirecting execution to MonikerLoader.”

T1620Reflective Code LoadingEvidence2

"...MonikerLoader... responsible for decrypting and executing a second-stage directly in memory."

Collection

1 technique
T1560.001Archive via UtilityEvidence1

"...delivered via compressed archives..." ... "RAR archive containing a batch script" ... "*.rar ... *.7z"

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
security affairsNews
Mar 4, 2026
From phishing to Google Drive C2: Silver Dragon expands APT41 playbook

Heavily obfuscated loader used to decrypt and inject payloads in memory; ultimately used to deploy Cobalt Strike beacons.

Read more
the hacker newsNews
Mar 4, 2026
APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2

.NET-based loader used to decrypt and execute a second-stage payload in memory; part of an infection chain that ultimately loads a Cobalt Strike beacon.

Read more
checkpoint research blogNews
Mar 3, 2026
Silver Dragon Targets Organizations in Southeast Asia and Europe - Check Point Research

A .NET in-memory loader using Brainfuck-based string obfuscation and randomized identifiers. It decrypts and reflectively loads a second-stage module (ADD-XOR), which then configures persistence and decrypts/executes the final shellcode payload in RWX memory. Older variants may retrieve encrypted payload data from the Windows Registry. Observed final payloads are Cobalt Strike beacons.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.