Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

Brushaloader

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TA544

BrushaLoader is one of a growing group of downloaders frequently employed by threat actors to profile infected PCs and then load more robust payloads on devices of interest.

via proofpoint threat insight blogproofpoint.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence2

To compromise their victims, the attackers behind the Poland-targeted campaign use emails posing as invoices from various companies.

Execution

3 techniques
T1059.001PowerShellEvidence2

The campaign makes use of a combination of PowerShell and VBS scripts widely known as Brushaloader.

T1059.005Visual BasicEvidence2

The campaign makes use of a combination of PowerShell and VBS scripts widely known as Brushaloader.

T1059.007JavaScriptEvidence1

We derived the name for this VisualBasic/JavaScript/PowerShell loader...

Discovery

1 technique
T1082System Information DiscoveryEvidence1

Immediately after executing, BrushaLoader receives a PowerShell script called "PowerEnum". PowerEnum performs extensive fingerprinting on infected devices and sends the data back to the C&C.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

Figure 2: HTTP portion of BrushaLoader delivery and post-infection activity...

T1095Non-Application Layer ProtocolEvidence1

This communication occurs over a raw TCP "parallel" channel to BrushaLoader.

T1105Ingress Tool TransferEvidence1

PowerEnum is also used to send tasks, which were originally stored on Dropbox, and more recently were hosted on Google Drive... The Google Drive link is the payload sent via raw TCP after PowerEnum fingerprinting.

INDICATORS OF COMPROMISE

IOCs tracked for this family

10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
6 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app7 years ago
domain●●●●●●●●●●●●View more in app7 years ago
hash.sha256●●●●●●●●●●●●View more in app7 years ago
ip.v4●●●●●●●●●●●●View more in app7 years ago
ip.v4●●●●●●●●●●●●View more in app7 years ago
hash.sha256●●●●●●●●●●●●View more in app7 years ago
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching10

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.