HOMETHREATSRiseLoader
MALWARE FAMILY

RiseLoader

Internal ID: win.riseloader
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

RiseLoader is a new malware loader family first observed in October 2024. It uses a custom TCP-based binary network protocol similar to, but distinct from, that used by the PrivateLoader and RisePro malware families. RiseLoader often drops other malware families, such as Vidar, Lumma Stealer, and XMRig, as secondary payloads. It collects information about installed applications and browser extensions, likely related to cryptocurrency.

Key technical characteristics of RiseLoader include:

Anti-analysis Techniques: Samples are often packed with VMProtect and obfuscate strings related to malware analysis and debugging tools.

Behavioural Analysis: Creates a mutex with a hardcoded prefix and randomly generated suffixes. Communicates with a C2 server over TCP using a custom protocol involving specific message types for tasks such as transferring system information, receiving payloads, and confirming execution. Downloads and executes payloads from URLs provided by the C2 server. Creates registry keys as infection markers.

Network Communication: Uses a custom TCP-based protocol with message types like SEND_VICTIM_INFO, SYS_INFO, PAYLOADS, KEEPALIVE, and others. Data is XOR encoded using keys exchanged via a SET_XORKEYS message. The protocol includes a three-way handshake and mechanisms for re-establishing connections.

Similarities to RisePro/PrivateLoader: Shares similar network communication protocols and message structures with RisePro and PrivateLoader suggesting a potential link between their developers, though RiseLoader's protocol appears simplified. It currently lacks RisePro/PrivateLoader's information-stealing features but may be under development.

Threat Analysis

RiseLoader is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.riseloader

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.