Simply distributing malware is not a viable strategy anymore for criminal actors. To combat the ever increasing defense mechanisms, malicious loaders are used. These loaders are meant to conceal the final payload from the prying eyes of anti-virus and anti-malware scanners. Even though these loaders are used over and over, they are often overlooked.

For this exact reason, as well as the fact that the CyaX-Sharp loader (also known as ReZer0) has interesting capabilities, this research focuses on a loader. Whilst being able to load any type of Windows executable, CyaX-Sharp is most often used to drop stealers. This talk provides insight into the loader’s inner workings, the flaw in its payload decryption routine, and an automatic payload and configuration extraction program. After the more technical segment, information will be given about the found samples, and the observed trends within the data.