Olymp Loader: A new Malware-as-a-Service written in Assembly

SUMMARY :

Olymp Loader is a recently emerged Malware-as-a-Service offering advertised on underground forums since June 2025. Developed by a team called OLYMPO, it's written in assembly language and marketed as fully undetectable. The loader executes other malware on victim systems and provides built-in stealer modules for browsers, Telegram, and crypto wallets. It enables rapid feature updates and fast adoption by cybercriminals. The malware has evolved from an initial botnet concept to focus on loader and crypter functionalities. Distribution methods include disguising as legitimate software and using other malware like Amadey as initial access. Post-infection payloads primarily include credential stealers and remote access tools.

OPENCTI LABELS :

stealer,amadey,telegram,loader,evasion techniques,lummac2,malware-as-a-service,crypter,raccoon,assembly,underground forums,qasarrat,webrat,olymp loader


AI COMMENTARY :

1. In the clandestine corridors of underground forums and threat intelligence feeds, a new contender has emerged under the name Olymp Loader. Announced by a group calling themselves OLYMPO, this Malware-as-a-Service solution first appeared in June 2025 and has rapidly drawn the attention of cybercriminals seeking a powerful assembly-based loader that promises full undetectability. Its presence on underground forums signals a shift in the threat landscape toward more modular and adaptable tooling, placing advanced evasion techniques within reach of even novice attackers.

2. The origins of Olymp Loader trace back to a project initially conceived as a traditional botnet. Over time, the developers recognized the growing demand for a pure loader and crypter combination, leading them to strip away extraneous botnet functionality in favor of a streamlined malware delivery solution. Written entirely in assembly, the loader benefits from a minimal footprint and direct control over system calls, giving it an edge over many high-level language rivals. This low-level approach not only reduces detection risk but also enables the rapid integration of new features as OLYMPO rolls out updates.

3. Functionality is at the core of Olymp Loader’s appeal. Once executed on a victim’s machine, the loader can deploy a variety of payloads including credential stealers modeled after Raccoon and Qasarrat, remote access trojans, and specialized modules designed to harvest data from browsers, Telegram desktop applications, and crypto wallet software. These built-in stealer modules operate in concert with the loader’s core capabilities, granting attackers a one-stop solution for infiltration and data exfiltration. The inclusion of crypter routines further helps shield the delivered payloads from antivirus engines and sandbox analysis environments.

4. Distribution tactics for Olymp Loader demonstrate a mastery of social engineering and supply-chain compromise. Attackers often masquerade the loader as legitimate software updates or employ secondary malware such as Amadey and WeBrat to secure initial access. Once footholds are established, the loader can be seamlessly introduced and executed on target systems. Additionally, threat actors leverage existing malware-as-a-service platforms like LUMMA C2 to orchestrate large-scale campaigns, fomenting rapid spread across victim networks while evading traditional perimeter defenses.

5. The swift adoption of Olymp Loader highlights the growing demand for turnkey malware solutions among cybercriminal communities. Its assembly-based architecture and robust evasion techniques have earned it a reputation as a highly effective MaaS offering. With OLYMPO continuously refining their product, new stealer targets and advanced obfuscation methods are released on a near-weekly cadence, ensuring that defenders are perpetually racing to identify and block emerging variants.

6. To combat the threat posed by Olymp Loader and its associated stealer modules, organizations should implement a layered defense strategy. Endpoint detection and response tools capable of behavioral analysis can detect the telltale signs of loader activity, while network monitoring solutions can identify outbound communication to known LUMMA C2, Qasarrat or Amadey infrastructure. Regular patching, user education, and restricting unnecessary executable privileges remain vital in closing the door on this sophisticated malware-as-a-service. Continuous threat hunting and sharing of Indicators of Compromise from underground forums will further bolster defenses against the evolving Olymp Loader menace.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Olymp Loader: A new Malware-as-a-Service written in Assembly