MalwareUsed by 1 actor

BlueLoader

BlueLoader is malware described in the provided reporting as a botnet offering within the broader "Pure*" malware ecosystem associated with the seller/developer name "PureCoder." In the cited Cyble CRIL reporting on a December 14, 2022 spam campaign delivering the PureLogs information stealer and attributed to the threat actor "Alibaba2044," BlueLoader is not the primary payload in that campaign but is referenced as another tool advertised by the same seller. According to the developers, BlueLoader can manage a large number of bots, automatically restart for persistence, launch DDoS attacks, and kill competing bots. A separate mention context also lists BlueLoader alongside PureMiner and PureClipper in late-2025 RAT pivot research. The provided content does not supply a specific infection chain, platform scope, victimology, or indicators of compromise uniquely tied to BlueLoader itself beyond these advertised capabilities and ecosystem associations.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

PureCoder

According to the developers, the BlueLoader botnet can manage a sizable quantity of bots, start up again automatically, launch DDoS attacks, and also possess a bot-eliminating capability.

via cyble comcyble.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059.006PythonEvidence1

TacticExecution

TTP MITRE Technique Description Python-Based Infostealer Payload T1059.006 – Command and Scripting Interpreter: Python Core PXA Stealer signature across all known campaigns

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyble blogNews

Mar 30, 2026

Professional Networks Under Attack By Infostealer

A loader malware payload added in some campaigns by the same threat actor.

cyble comNews

Dec 27, 2022

Pure Coder Sells Malware On Dark Web Forums

A botnet/loader advertised for managing bots, persistence/restart, DDoS capability, and competing-bot removal.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.