A new malware threat known as ModiLoader, also called DBatLoader, is targeting Windows users through phishing campaigns. Security experts warn that this malware is designed to steal login credentials and other sensitive data.
The malware was recently discovered in a series of phishing attacks. It uses a multi-step infection process and eventually installs SnakeKeylogger, a dangerous information-stealing tool built with .NET.
How the Attack Works
Victims are tricked into opening email attachments that appear to come from Turkish banks. These emails, written in Turkish, claim to contain financial transaction records. When users open the attached RAR files, a hidden BAT file runs and installs the malware.
The malware is placed in the system’s temporary folder as an executable file. It uses Base64 encoding to hide its true nature, helping it avoid detection by antivirus software.
Complex Infection Method
Researchers from ASEC identified the campaign in mid-May 2025. They found that the malware uses multiple BAT scripts with names like 5696.cmd, 8641.cmd, and neo.cmd. These scripts help the malware stay active on the system and hide from security tools.
Once installed, ModiLoader launches SnakeKeylogger. This final payload collects system information, keystrokes, clipboard content, and stored login details.
Data Theft and Communication
The stolen information is sent to attackers using various methods, including email, FTP, SMTP, and Telegram. In this campaign, the malware used a Telegram bot token to send data to a remote command-and-control server. This method makes it harder for security systems to detect and block the communication.
Experts warn that the malware can steal newly typed data after infection, including fresh passwords. This makes the threat persistent, even after it’s detected.
Advanced Evasion Techniques
ModiLoader uses advanced tricks to hide from security tools. It copies the legitimate cmd.exe and renames it as alpha.pif. It also creates fake folders like C:\Windows \SysWOW64, using extra spaces to confuse security software.
Another technique involves DLL side-loading. The malware creates a fake program named svchost.pif and places it with a malicious netutils.dll. When run, this combination appears legitimate but performs harmful actions in the background.
The malware also disables system protections. It runs PowerShell commands (renamed as xkn.pif) to add hidden folders to Windows Defender’s exclusion list. This prevents the antivirus from scanning these folders.
Security Recommendations
Experts recommend that users be cautious with email attachments, especially from unknown sources. Organizations should use advanced security tools that can detect suspicious behavior, not just known malware files.
