{"id":6615,"date":"2025-09-03T10:03:27","date_gmt":"2025-09-03T10:03:27","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/09\/03\/new-tinyloader-malware-attacking-windows-users-via-network-shares-and-fake-shortcuts-files\/"},"modified":"2025-09-03T10:03:27","modified_gmt":"2025-09-03T10:03:27","slug":"new-tinyloader-malware-attacking-windows-users-via-network-shares-and-fake-shortcuts-files","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/09\/03\/new-tinyloader-malware-attacking-windows-users-via-network-shares-and-fake-shortcuts-files\/","title":{"rendered":"New TinyLoader Malware Attacking Windows Users Via Network Shares and Fake Shortcuts Files"},"content":{"rendered":"

New TinyLoader Malware Attacking Windows Users Via Network Shares and Fake Shortcuts Files
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A stealthy new malware loader dubbed TinyLoader has begun proliferating across Windows environments, exploiting network shares and deceptive shortcut files to compromise systems worldwide.<\/p>\n

First detected in late August 2025, TinyLoader installs multiple secondary payloads\u2014most notably RedLine Stealer and DCRat\u2014transforming infected machines into fully weaponized platforms for credential theft, remote access, and cryptocurrency hijacking.<\/p>\n

Analysts have observed rapid escalation in the loader\u2019s deployment, with infections traced to corporate file shares, removable media, and social engineering tactics that entice unsuspecting users to execute malicious binaries.<\/p>\n

While malware loaders are not a novel threat, TinyLoader distinguishes itself through a combination of aggressive lateral movement and sophisticated persistence mechanisms.<\/p>\n

Initial access is frequently achieved via network shares: the loader scans for open SMB resources, replicates itself as an innocuous \u201cUpdate.exe\u201d file, and updates directory timestamps to avoid detection.<\/p>\n

Once executed, it immediately reaches out to predefined command-and-control (C2) servers to download additional modules.<\/p>\n

Hunt.io researchers identified early C2 infrastructure hosted at IP addresses 176.46.152.47 and 176.46.152.46 in Riga, Latvia, with further nodes in the UK and Netherlands, all operated under a single hosting provider to streamline deployment.<\/p>\n

Hunt.io analysts noted that TinyLoader\u2019s interface mirrors modern malware-as-a-service panels, offering threat actors an intuitive web portal for campaign management.<\/p>\n

Examination of the loader\u2019s payload retrieval sequence revealed six hard-coded URLs pointing to malicious binaries\u2014bot.exe and zx.exe among them\u2014which are saved to the Windows temporary directory and executed without user interaction.<\/p>\n

This modular approach allows attackers to rotate payloads and pivot to new tools such as cryptocurrency clipper modules or remote access trojans with minimal redevelopment effort.<\/p>\n

Following the outbreak of infections, security teams scrambled to uncover detection signatures.<\/p>\n

\n
\"\"
TinyLoader command-and-control login panel (Source \u2013 Hunt.io)<\/figcaption><\/figure>\n<\/div>\n

TinyLoader\u2019s login panel carries a consistent HTML title tag:-<\/p>\n

<title>Login - TinyLoader<\/title><\/code><\/pre>\n
This string became a critical indicator for web crawler searches, enabling defenders to enumerate additional C2 panels and preemptively block them.<\/p>\n
\n
\"\"
Hunt.io scan results (Source \u2013 Hunt.io)<\/figcaption><\/figure>\n<\/div>\n
The Hunt.io scan results for suspicious IP address 176.46.152.47 illustrates the initial discovery that triggered further infrastructure mapping.<\/p>\n
Infection Mechanism: Network Share Propagation and Fake Shortcuts<\/strong><\/h2>\n
TinyLoader\u2019s primary infection vector leverages both network file sharing and social engineering via fake Windows shortcuts.<\/p>\n
Upon gaining administrative privileges<\/a>, the loader injects itself into the Windows registry to hijack .txt file associations:-<\/p>\n
Windows Registry Editor Version 5.00\n[HKEY_CLASSES_ROOTtxtfileshellopencommand]\n@=\"\"%SystemRoot%\\System32\\cmd[.]exe\" \/c start \"\" \"C:\\Windows\\System32\\Update.exe\" \"%1\"\"<\/code><\/pre>\n
This modification ensures that any attempt to open a text file silently launches TinyLoader first, before displaying the legitimate document.<\/p>\n
Concurrently, the malware<\/a> scans writable network shares, copying both \u201cUpdate.exe\u201d and malicious shortcut files named \u201cDocuments Backup.lnk.\u201d<\/p>\n
When these shortcuts are double-clicked, they execute TinyLoader while masquerading as a user-friendly backup utility. <\/p>\n
\n
\"\"
Fake desktop shortcut used for social engineering (Source \u2013 Hunt.io)<\/figcaption><\/figure>\n<\/div>\n
While the above mentioned fake desktop shortcut used for social engineering<\/a>, exemplifies this tactic.<\/p>\n
The loader also targets removable media: every USB insertion triggers replication of TinyLoader under enticing names like \u201cPhoto.jpg.exe.\u201d<\/p>\n
An accompanying autorun.inf file guarantees execution on the next host, perpetuating the infection cycle.<\/p>\n
Together, these techniques create a resilient propagation mechanism that spans both local and enterprise networks, making TinyLoader exceptionally difficult to eradicate once established.<\/p>\n
Defenders are urged to monitor registry changes affecting file associations, deploy policies restricting executable creation on network shares, and inspect shortcut files for unusual targets.<\/p>\n
By combining signature-based detection of the \u201cLogin \u2013 TinyLoader\u201d panel with behavioral monitoring<\/a> of autorun activity, security teams can mitigate the rapid spread of this emerging threat.<\/p>\n
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n
The post New TinyLoader Malware Attacking Windows Users Via Network Shares and Fake Shortcuts Files<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
New TinyLoader Malware Attacking Windows Users Via Network Shares and Fake Shortcuts Files A stealthy new malware loader dubbed TinyLoader has begun proliferating across Windows environments, exploiting network shares and deceptive shortcut files to compromise systems worldwide. First detected in late August 2025, TinyLoader installs multiple secondary payloads\u2014most notably RedLine Stealer and DCRat\u2014transforming infected machines […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-6615","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6615"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6615"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6615\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}