HOMETHREATSRomulusLoader
APT / THREAT GROUP

RomulusLoader

2
aliases
Last seen:Jun 21, 2026

Intelligence Profile

According to Proofpoint, RomulusLoader is a C-based loader whose purpose is to download and execute further payloads from a C2. It includes a custom PE loader, dynamic API resolution, and RC4 encryption for embedded payloads, and it sideloads legitimate components to blend into the environment. It operates in a multi-stage fashion, spawning workers that run in other processes to maintain persistence and facilitate C2 communications. As a first-stage loader, it is used to drop follow-on payloads, including remote-management software, enabling broader remote access capabilities for the operator.

Threat Analysis

RomulusLoader is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

RomulusLoaderwin.romulus_loader

External Intelligence

Malpedia: win.romulus_loader

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.