Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Kardon Loader Allows Anyone to Build a Distribution Network

The author of a newly discovered malware downloader allows interested parties to set up a botshop and build a malware distribution network, Netscout Arbor reveals.

The author of a newly discovered malware downloader allows interested parties to set up a botshop and build a malware distribution network, Netscout Arbor reveals.

Dubbed Kardon Loader, the downloader started being advertised on underground forums as a paid beta product on April 21, 2018. The actor behind it, using the online handler Yattaze, asks $50 for the malicious program and offers it as a standalone build, with charges for each additional rebuild. He/she also allows customers to set up a botshop and sell access to their own operation.

Downloader malware and botshops are typically used by malware authors and distributors to build networks and create botnets that are then leveraged for the distribution of information stealers, ransomware, banking Trojans, and other threats. These networks are often offered as a service on underground markets.

The newly observed Kardon Loader appears to be a rebrand of the ZeroCool botnet, which was developed by the same actor (who had an account on the forum since April 2017 and received multiple vouches for this product).

The actor, Netscout Arbor reveals, is using a professional looking advertisement for the loader, with its own logo, and provides a disclaimer claiming that the software should not be used maliciously. The developer also published a YouTube video detailing the downloader’s admin panel functionality.

Kardon Loader, the actor claims, has bot functionality, can download/execute/update/uninstall tasks, has debug and analysis protection, supports TOR and Domain Generation Algorithm (DGA), includes usermode rootkit functionality, and RC4 encryption (not yet implemented).

“ASERT found many of these features absent in the samples reviewed. All samples analyzed used hard-coded command and control (C&C) URLs instead of DGA. There was also no evidence of TOR or user mode rootkit functionality in the binaries,” the security firm reveals.

For anti-analysis, the malware downloader attempts to get the module handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and exits its process if any of the targeted handles are returned.

Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against values associated with virtual machines (such as Microsoft HV, VMware, and VBox). Should any of them be detected, the malware also exits.

The threat uses a HTTP-based C&C infrastructure and base64 encoded URL parameters. When executed, the malware sends HTTP POSTs to the C&C server, with information such as an identification number, operating system, user privilege, initial payload, computer name, user name, and processor architecture.

Depending on the server response, the malware can download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.

The administration panel has a simple design, with a dashboard where bot distribution and install statistics are displayed. A “bot store” feature allows the bot admin to generate access keys for customers, providing them with the ability to execute tasks based on the predefined parameters.

“Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking Trojans/credential theft etc. […] Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,” Netscout Arbor concludes.

Related: Microsoft Detects Massive Dofoil Attack

Related: Trojan Downloader Masquerades as Defunct Flash Player for Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.