Activity of the Taurus Loader Continues to Increase, Delivers Other Malware

The cybercrime gang behind the Taurus Stealer is involved in the development and usage of other, less-known malware families. One of these is the Taurus Loader. It has been around for over a year, and it still continues to be actively updated and distributed. As the name suggests, this Trojan Loader is designed to deploy additional malware onto the systems it compromises. The criminals are working with a wide range of payloads, and they constantly evolve the techniques they use to approach victims. Currently, a major part of Taurus Loader's distribution occurs via fake downloads and cracked software. Users typically reach the malicious, fake cracks and activators via torrents, specialized piracy websites, or even Google search results.

Taurus Loader Spread Through Pirated Software and Games

What is interesting about the fake files is that they work just like regular installers – users might be left under the impression that nothing out of the ordinary has happened. Just a few clicks of the 'Next' button and they will install not only cracked software but also a Trojan Loader in the background. Once the Taurus Loader is deployed, it will run a set of AutoIT scripts, which serve an important task – checking whether the malware is being run in a controlled environment. Taurus Loader will not run if it detects a virtual machine, specific malware analysis tools, or certain antivirus applications.

A large portion of active Taurus Loader infections ended up deploying the Taurus Stealer, but it is possible that the criminals might be experimenting with other payloads as well. We advise users to strengthen their protection against malware by using an up-to-date antivirus software suite. In addition to this, they should stay away from suspicious sites and pages known to host pirated software or games.

July 26, 2021