RomulusLoader
Intelligence Profile
According to Proofpoint, RomulusLoader is a C-based loader whose purpose is to download and execute further payloads from a C2. It includes a custom PE loader, dynamic API resolution, and RC4 encryption for embedded payloads, and it sideloads legitimate components to blend into the environment. It operates in a multi-stage fashion, spawning workers that run in other processes to maintain persistence and facilitate C2 communications. As a first-stage loader, it is used to drop follow-on payloads, including remote-management software, enabling broader remote access capabilities for the operator.
Threat Analysis
RomulusLoader is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.