New Malware Variant Surfaces for BunnyLoader Featuring Modular Attack Functionalities

The team of researchers recently studying cybersecurity has found an upgraded version of BunnyLoader. It’s a kind of malware loader, and stealer that can avoid detection by modularizing its different functionalities.

In a study released last week, Palo Alto Networks Unit 42 stated that "BunnyLoader is dynamically developing malware with the capability to steal information, credentials, and cryptocurrency, as well as deliver additional malware to its victims."

On February 11, 2024, Player (or Player_Bunny), the program's developer, revealed the updated version, BunnyLoader 3.0, which included revised modules for data theft, a smaller payload, and improved keylogging capabilities.

Zscaler ThreatLabz initially reported on BunnyLoader in September 2023, characterizing it as malware-as-a-service (MaaS) intended to obtain passwords and enable cryptocurrency theft. When it first came out, a $250 monthly subscription was available.

Since then, the malware has undergone numerous modifications designed to circumvent antivirus software and enhance its data collection capabilities; by the end of the same month, BunnyLoader 2.0 has been made available.

In addition to adding additional denial-of-service (DoS) capabilities to launch HTTP flood assaults against a target URL, BunnyLoader 3 takes one step further by dividing its stealer, clipper, keylogger, and DoS modules into separate programs.

"Operators of BunnyLoader can choose to deploy these modules or use BunnyLoader's built-in commands to load their choice of malware," revealed Unit 42.

BunnyLoader-delivering infection chains have also grown increasingly complex, using an unreported dropper to loader PureCrypter, which splits into two distinct branches.

The second assault sequence releases BunnyLoader to spread another stealer virus known as Meduza, while one branch starts the PureLogs loader to finally deploy the PureLogs stealer.


"In the ever-changing landscape of MaaS, BunnyLoader continues to evolve, demonstrating the need for threat actors to frequently retool to evade detection," Unit 42 researchers said.

The development coincides with the ongoing deployment of the malware known as SmokeLoader (also known as Dofoil or Sharik) to target the Ukrainian government and financial institutions by a group of alleged Russian cybercriminals known as UAC-006. Since 2011, it has been known to be active.

According to a thorough analysis released by the State Cyber Protection Center (SCPC) of Ukraine, between May and November 2023, up to 23 phishing attack waves containing SmokeLoader were detected.

"Primarily a loader with added information-stealing capabilities, SmokeLoader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums," Unit 42 said.

Two new information stealer programs, dubbed Nikki Stealer and GlorySprout, have been added to BunnyLoader and SmokeLoader. GlorySprout is a C++ program that can be downloaded for $300 to gain lifetime access. The stealer is a Taurus Stealer clone, claims “RussianPanda”.

"A notable difference is that GlorySprout, unlike Taurus Stealer, does not download additional DLL dependencies from C2 servers," the researcher said. "Additionally, GlorySprout lacks the Anti-VM feature that is present in Taurus Stealer."

The results also come after a new WhiteSnake Stealer variant has been found, which makes it possible to steal important, sensitive data from affected systems. "This new version has removed the string decryption code and made the code easy to understand," SonicWall stated.