In June 2025, a new Malware-as-a-Service (MaaS) threat called Olymp Loader surfaced, offering cybercriminals a fully modular, assembly-built loader and crypter platform for rapid exploitation. Marketed as Fully Undetectable (FUD), Olymp Loader comes bundled with built-in browser, Telegram, and cryptocurrency wallet stealers, and provides fast feature updates via Telegram. Distributed through developer-oriented channels and poisoned GitHub binaries, the malware frequently acts as a second-stage loader for commodity RATs such as LummaC2, WebRAT, and Amadey.
Olymp Loader’s Defender tampering, modular shellcode, and obfuscation capabilities make it highly adaptable, enabling even unskilled attackers to orchestrate full-scale data theft and system compromise with minimal effort. Its evolution from a botnet concept into a customizable exploitation kit highlights the growing industrialization of cybercrime tools targeting Windows systems worldwide.
Olymp Loader was first promoted in underground forums and Telegram channels by a developer named OLYMPO. Initially built as a botnet framework, it quickly evolved into a loader and crypter kit emphasizing a compact assembly core, modular design, and rapid development cycle.
By August 2025, its operators introduced tiered pricing:
$50 “Classic Stub” – basic loader with Defender bypass and certificate signing
$100 “Custom Shellcode” – personalized payload execution
$200 “Unique Stub” – exclusive loader with unique injection targets
Olymp Loader employs deep XOR obfuscation, LoadPE/code cave injection, automated persistence, and UAC flooding for privilege escalation. The platform supports signed binaries and claims resilience against heuristic and machine-learning detection.
Attackers have abused GitHub-hosted developer binaries to deliver Olymp Loader, which is often used alongside Amadey and LummaC2, suggesting a pay-per-install ecosystem. It integrates a Python/Nuitka toolchain, custom API modules, and functionality for registry data harvesting, multi-monitor screenshots, and data exfiltration.
A major 2025 update replaced centralized botnet control with embedded encrypted payloads, executed after disabling Defender protection. These payloads now bundle browser stealers, Telegram data collectors, and crypto-wallet harvesters, expanding Olymp Loader’s use across financially motivated campaigns.
Harden Endpoints: Block execution from commonly abused directories such as Downloads, AppData, Temp, and Pictures. Enforce least privilege to prevent unauthorized installations.
Behavioral Hunting: Detect repeated use of cmd.exe with timeout, suspicious file replication to AppData/Startup, or PowerShell scripts that persist post-reboot.
Email and Web Security: Deploy advanced filtering, URL rewriting, and sandboxing to block malicious installers and phishing campaigns.
Protect Crypto and Messaging Apps: Enforce strict controls on systems with crypto wallets, developer tools, or Telegram clients. Enable MFA and encrypted key storage.
Certificate Monitoring: Maintain an updated inventory of trusted code-signing certificates and alert on unrecognized or suspicious ones.
Advanced Endpoint Defense: Use NGAV and EDR tools with behavioral and ML-based detection to identify obfuscated or signed malicious binaries.
SHA256 Hashes
7bc217f0ee12266d42812af436f494caf599c0705242457a581f64d4eb508904
d36da9c3e5e78aa87bcdcd7fc8d3499d85a60b9dd107bf775d759940fc2f2489
d167a0c6fdba1175b67f10daf4be218b4d8adf2f81280ba5d1510228a4321bca
446c7b9ff49c7c0b8ae02b720054e4f09ef60475c92a5d7f2e2b2bdb4ca5de23
ff1e159c4c6fcb97c9cb1885796fa4557e1afb92c82ada00f24ae994bffd63e4
9464a2a1fb53b3a8c783ee4b55bba69cbb74a841f0d06f0cef86a93d607be5ae
59b143fd884f8450cf5161954ebf38dbd9c951ecdb13de5e1f6aea01a9f92201
Additional Hashes (continued)
60fec45a29a89c1cb10fd793065e8fc39bdae15daf813e3438e8ff6558fb7e2d
561809b0c9c67b7d48712ab9e53cf5cc137b94d5a2d8bc65314a2db4c23df99d
9d5d474791793300a273c5b6e522c7c3acd6fbb26c4da0421d4ef695c82f3fa5
14e4884288c1740d5a4b67ac83a890000c3b92f945139b2433bf9746acd14f9b
01562cd36b61d517959fdbe5beaef9e1e9462be292c74a49b36a30057d09bc2c
60f8b5a6c8621e07124fbec4b9253b913056d1279d6c42fdd99a8b6b14c33e9a
048701ffc9b7ccfe4228bfaaa0b98a0518f02c6325c7f59365f863eccb65aa6d
c465c1ac750e80ffb4020ec085528ca520b4fca587710ae1a5937bc88e5ad22c
dbe4aaef628f4d392fd25946643424334af4ecb9eb2589884112b465f508ca33
02eb774341d84b8c83b448186f3de8db139c52bea2376fec0ac88c7112186fd2
ee1e27a01b884099a614b8eee78cdb1dd02ffecd6ed9f6a54b7b567b9eab979f
URLs
hxxp[:]//fastdownloads[.]live/dl/putty[.]exe
hxxp[:]//jjf[.]life/OpenSSL/build[.]exe
hxxps[:]//jjf[.]life/OpenSSL/ZoomClientSetup[.]exe
hxxps[:]//classic-offensive[.]com/Installer[.]zip
TA0001 Initial Access – T1204, T1204.002 (User Execution, Malicious File)
TA0002 Execution – T1059, T1059.003, T1059.001 (Command Interpreter, PowerShell)
TA0003 Persistence – T1547, T1547.001 (Registry Run Keys / Startup Folder)
TA0004 Privilege Escalation – T1548, T1548.002 (UAC Bypass)
TA0005 Defense Evasion – T1036, T1036.005, T1027, T1553, T1553.002, T1562, T1562.001 (Masquerading, Obfuscation, Code Signing, Disable Tools)
TA0006 Credential Access – T1555, T1555.003, T1552, T1552.001 (Credential Theft)
TA0007 Discovery – T1016 (System Network Configuration Discovery)
TA0009 Collection – T1113, T1005 (Screen Capture, Data from Local System)
TA0010 Exfiltration – T1567, T1041 (Exfiltration via Web or C2)
TA0011 Command and Control – T1071, T1071.001 (Web Protocols)
Get through updates and upcoming events, and more directly in your inbox