Beware: JinxLoader Malware Named After Video Game Character

A recently identified malware loader named JinxLoader, built on the Go programming language, is now being employed by threat actors to deliver subsequent malicious payloads such as Formbook and its successor XLoader. Cybersecurity researchers have revealed this information, emphasizing the use of multi-step attack sequences initiated through phishing campaigns.

Researchers highlighted that the malware, paying homage to the League of Legends character Jinx, prominently features the character on its advertising poster and command-and-control login panel. Its primary purpose is to load and deploy additional malware.

JinxLoader Distributed on Dark Web Forums

JinxLoader was initially advertised on hackforums[.]net on April 30, 2023, with pricing options of $60 per month, $120 per year, or a lifetime fee of $200.

The attack campaigns typically commence with phishing emails impersonating the Abu Dhabi National Oil Company (ADNOC). These emails urge recipients to open password-protected RAR archive attachments. Upon opening, the JinxLoader executable is dropped, acting as a gateway for the subsequent deployment of Formbook or XLoader.

This development coincides with the discovery of an increase in infections involving a new loader malware family called Rugmi, designed to spread various information stealers. Additionally, there is a surge in campaigns distributing DarkGate and PikaBot. The threat actor known as TA544 (aka Narwal Spider) is leveraging new variants of loader malware called IDAT Loader to deploy Remcos RAT or SystemBC malware.

Highlighting the thriving market for stealer malware, researchers have identified a new family called Vortex Stealer. This malware is capable of exfiltrating browser data, Discord tokens, Telegram sessions, system information, and files that are less than 2 MB in size.