ResiLoader Kills 140+ Security Tools Before Deploying StealC
Malwarebytes documents a new loader that abuses a legitimate driver to terminate EDR processes, then uses process hollowing to inject the StealC infostealer through fake Google and Cloudflare verification pages.
A new .NET NativeAOT loader called ResiLoader drops a legitimate driver, uses it to terminate more than 140 antivirus and EDR processes, then injects the StealC infostealer through process hollowing—all triggered by victims who thought they were completing a CAPTCHA.
Malwarebytes researcher Gabriele Orini documented the campaign, which has been running since late 2025 using fake Google reCAPTCHA screens, spoofed Cloudflare "Verify you're human" pages, bogus Google Meet audio-fix notices, and even a fake QR code generator. All roads lead to the same lure: copy this PowerShell command and paste it into your terminal.
The Infection Chain
The delivery mechanism follows the ClickFix pattern we've covered extensively—social engineering users into executing commands they don't understand. Victims encounter what appears to be a verification prompt, complete with familiar Google or Cloudflare branding. The "fix" involves copying a PowerShell snippet that downloads and executes the payload.
In one infection chain Malwarebytes traced, the attack begins with a trojanized version of the legitimate Franz messaging application. The compromised installer downloads ResiLoader, which then orchestrates a multi-stage compromise.
How ResiLoader Disables Security
ResiLoader's first priority is blinding defenders. It drops pcdhost.sys, a driver from OPSWAT's AppRemover tool—legitimate software used for uninstalling security products during migrations. The driver operates at kernel level, giving it authority to terminate processes that user-mode malware can't touch.
ResiLoader feeds more than 140 process names to the driver, including:
- Major antivirus engines (Windows Defender, Norton, Kaspersky, etc.)
- EDR agents (CrowdStrike, SentinelOne, Carbon Black)
- Forensic and analysis tools
Once security software is disabled, ResiLoader executes a UAC bypass through the ICMLuaUtil COM interface, achieving elevated privileges without triggering the familiar Windows consent prompt. It establishes persistence via a Run registry key disguised as "Google Update"—a name that blends into legitimate software entries.
Process Hollowing and StealC Deployment
With security tools terminated and persistence established, ResiLoader performs process hollowing on ServiceModelReg.exe, a legitimate Windows binary. The technique creates a suspended process, replaces its memory contents with malicious code, then resumes execution. To monitoring tools that survived the initial purge, it appears that a Microsoft-signed executable is running normally.
The injected payload is StealC, a capable infostealer that harvests browser credentials, cryptocurrency wallets, session cookies, and authentication tokens.
Multiple Malware Families
StealC isn't the only payload distributed through this infrastructure. Malwarebytes identified seven distinct malware families delivered via the same fake verification campaign:
- HijackLoader
- StealC
- Remus Stealer
- Amatera Stealer
- CastleLoader
- NetSupport (RAT)
- A Rust-based stealer
The shared infrastructure includes Cloudflare R2 buckets for payload hosting, expired domains that attackers repurchased, and compromised legitimate websites used as redirect points.
Indicators of Compromise
Command & Control:
- completstep[.]com
- popularcard[.]shop
- xzz[.]proxygrid[.]cc
Payload distribution IPs:
- 151.240.151.126
- 85.239.149.16
- 93.152.224.29
File hashes:
- ResiLoader DLL: 72907d0ca3258365838626f6a8d993a6
- StealC: 0234E3188F2883A438B3F2BEAB7A78B2
Defensive Recommendations
- Train users on verification scams - Google, Cloudflare, and Microsoft never ask users to paste PowerShell commands
- Block PowerShell command execution from browser contexts - Application control policies can prevent this entire attack vector
- Monitor for suspicious driver loads - Kernel drivers appearing outside software installations warrant investigation
- Detect process hollowing - EDR tools should flag process memory that doesn't match its on-disk image
- Restrict Run key modifications - Unauthorized persistence entries indicate compromise
The abuse of legitimate drivers to disable security tools represents an escalation in attacker sophistication. AppRemover exists for IT administrators—attackers weaponized it for the exact opposite purpose it was designed for. This category of living-off-the-land binary (LOLBIN) abuse continues expanding as threat actors mine enterprise tooling for exploitation opportunities.
Related Articles
QuickLens Chrome Extension Steals Crypto via ClickFix
Malicious QuickLens browser add-on combines Google Lens functionality with ClickFix social engineering to drain cryptocurrency wallets through fake CAPTCHA prompts.
Feb 28, 2026macOS ClickFix Gains Silent DMG Mount to Push AMOS Stealer
Unit 42 uncovers ClickFix campaign using hdiutil -nobrowse to silently mount disk images on macOS. Victims never see the DMG—just Atomic Stealer harvesting credentials.
Jun 23, 2026Atomic Stealer Pivots to Script Editor After Apple Blocks Terminal
ClickFix attackers bypass macOS 26.4 Terminal paste scanning by using applescript:// URLs to launch Script Editor. Same payload, new delivery vector.
Apr 11, 2026Vidar Infostealer Spreads via Hacked WordPress Sites
Malwarebytes researchers detected a Vidar infostealer campaign using fake CAPTCHA pages on compromised WordPress sites. ClickFix technique tricks users into running malicious PowerShell.
Mar 28, 2026