Olymp Loader: Modular Malware Built for Rapid Exploitation

Summary

In June 2025, a new Malware-as-a-Service (MaaS) threat called Olymp Loader surfaced, offering cybercriminals a fully modular, assembly-built loader and crypter platform for rapid exploitation. Marketed as Fully Undetectable (FUD), Olymp Loader comes bundled with built-in browser, Telegram, and cryptocurrency wallet stealers, and provides fast feature updates via Telegram. Distributed through developer-oriented channels and poisoned GitHub binaries, the malware frequently acts as a second-stage loader for commodity RATs such as LummaC2, WebRAT, and Amadey.

Olymp Loader’s Defender tampering, modular shellcode, and obfuscation capabilities make it highly adaptable, enabling even unskilled attackers to orchestrate full-scale data theft and system compromise with minimal effort. Its evolution from a botnet concept into a customizable exploitation kit highlights the growing industrialization of cybercrime tools targeting Windows systems worldwide.

Attack Details

Olymp Loader was first promoted in underground forums and Telegram channels by a developer named OLYMPO. Initially built as a botnet framework, it quickly evolved into a loader and crypter kit emphasizing a compact assembly core, modular design, and rapid development cycle.

By August 2025, its operators introduced tiered pricing:

• $50 “Classic Stub” – basic loader with Defender bypass and certificate signing

• $100 “Custom Shellcode” – personalized payload execution

• $200 “Unique Stub” – exclusive loader with unique injection targets

Olymp Loader employs deep XOR obfuscation, LoadPE/code cave injection, automated persistence, and UAC flooding for privilege escalation. The platform supports signed binaries and claims resilience against heuristic and machine-learning detection.

Attackers have abused GitHub-hosted developer binaries to deliver Olymp Loader, which is often used alongside Amadey and LummaC2, suggesting a pay-per-install ecosystem. It integrates a Python/Nuitka toolchain, custom API modules, and functionality for registry data harvesting, multi-monitor screenshots, and data exfiltration.

A major 2025 update replaced centralized botnet control with embedded encrypted payloads, executed after disabling Defender protection. These payloads now bundle browser stealers, Telegram data collectors, and crypto-wallet harvesters, expanding Olymp Loader’s use across financially motivated campaigns.

Recommendations

• Harden Endpoints: Block execution from commonly abused directories such as Downloads, AppData, Temp, and Pictures. Enforce least privilege to prevent unauthorized installations.

• Behavioral Hunting: Detect repeated use of cmd.exe with timeout, suspicious file replication to AppData/Startup, or PowerShell scripts that persist post-reboot.

• Email and Web Security: Deploy advanced filtering, URL rewriting, and sandboxing to block malicious installers and phishing campaigns.

• Protect Crypto and Messaging Apps: Enforce strict controls on systems with crypto wallets, developer tools, or Telegram clients. Enable MFA and encrypted key storage.

• Certificate Monitoring: Maintain an updated inventory of trusted code-signing certificates and alert on unrecognized or suspicious ones.

• Advanced Endpoint Defense: Use NGAV and EDR tools with behavioral and ML-based detection to identify obfuscated or signed malicious binaries.

Indicators of Compromise (IoCs)

SHA256 Hashes

• 7bc217f0ee12266d42812af436f494caf599c0705242457a581f64d4eb508904

• d36da9c3e5e78aa87bcdcd7fc8d3499d85a60b9dd107bf775d759940fc2f2489

• d167a0c6fdba1175b67f10daf4be218b4d8adf2f81280ba5d1510228a4321bca

• 446c7b9ff49c7c0b8ae02b720054e4f09ef60475c92a5d7f2e2b2bdb4ca5de23

• ff1e159c4c6fcb97c9cb1885796fa4557e1afb92c82ada00f24ae994bffd63e4

• 9464a2a1fb53b3a8c783ee4b55bba69cbb74a841f0d06f0cef86a93d607be5ae

• 59b143fd884f8450cf5161954ebf38dbd9c951ecdb13de5e1f6aea01a9f92201

Additional Hashes (continued)

• 60fec45a29a89c1cb10fd793065e8fc39bdae15daf813e3438e8ff6558fb7e2d

• 561809b0c9c67b7d48712ab9e53cf5cc137b94d5a2d8bc65314a2db4c23df99d

• 9d5d474791793300a273c5b6e522c7c3acd6fbb26c4da0421d4ef695c82f3fa5

• 14e4884288c1740d5a4b67ac83a890000c3b92f945139b2433bf9746acd14f9b

• 01562cd36b61d517959fdbe5beaef9e1e9462be292c74a49b36a30057d09bc2c

• 60f8b5a6c8621e07124fbec4b9253b913056d1279d6c42fdd99a8b6b14c33e9a

• 048701ffc9b7ccfe4228bfaaa0b98a0518f02c6325c7f59365f863eccb65aa6d

• c465c1ac750e80ffb4020ec085528ca520b4fca587710ae1a5937bc88e5ad22c

• dbe4aaef628f4d392fd25946643424334af4ecb9eb2589884112b465f508ca33

• 02eb774341d84b8c83b448186f3de8db139c52bea2376fec0ac88c7112186fd2

• ee1e27a01b884099a614b8eee78cdb1dd02ffecd6ed9f6a54b7b567b9eab979f

URLs

• hxxp[:]//fastdownloads[.]live/dl/putty[.]exe

• hxxp[:]//jjf[.]life/OpenSSL/build[.]exe

• hxxps[:]//jjf[.]life/OpenSSL/ZoomClientSetup[.]exe

• hxxps[:]//classic-offensive[.]com/Installer[.]zip

MITRE ATT&CK TTPs

• TA0001 Initial Access – T1204, T1204.002 (User Execution, Malicious File)

• TA0002 Execution – T1059, T1059.003, T1059.001 (Command Interpreter, PowerShell)

• TA0003 Persistence – T1547, T1547.001 (Registry Run Keys / Startup Folder)

• TA0004 Privilege Escalation – T1548, T1548.002 (UAC Bypass)

• TA0005 Defense Evasion – T1036, T1036.005, T1027, T1553, T1553.002, T1562, T1562.001 (Masquerading, Obfuscation, Code Signing, Disable Tools)

• TA0006 Credential Access – T1555, T1555.003, T1552, T1552.001 (Credential Theft)

• TA0007 Discovery – T1016 (System Network Configuration Discovery)

• TA0009 Collection – T1113, T1005 (Screen Capture, Data from Local System)

• TA0010 Exfiltration – T1567, T1041 (Exfiltration via Web or C2)

• TA0011 Command and Control – T1071, T1071.001 (Web Protocols)

References

• Outpost24 Blog – Olymp Loader: A New Malware-as-a-Service

• MITRE ATT&CK Framework