HOMETHREATSDPAPILoader
APT / THREAT GROUP

DPAPILoader

2
aliases
Last seen:Jun 11, 2026

Intelligence Profile

According to Fox-IT, DPAPILoader is a loader implemented as a DLL that decrypts an encrypted payload from disk using DPAPI and then loads it into memory, enabling persistence by starting at boot as a legitimate-appearing service. It uses environment-bound encryption and obfuscation (DPAPI keys tied to the user and a fixed XOR) to tie the payload to the victim and hinder static analysis. The loader then hands off to a second-stage loader, RemotePELoader, as part of a multi-stage chain designed to minimize on-disk artifacts and maximize stealth.

Threat Analysis

DPAPILoader is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning DPAPILoader

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

DPAPILoaderwin.dpapi_loader

External Intelligence

Malpedia: win.dpapi_loader

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
DPAPILoader — APT / Threat Group | Threat Intelligence | CTIWATCH.COM