Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A new malware called Pronsis Loader has been discovered, with similarities to D3F@ck Loader. Both use JPHP-compiled executables, but Pronsis uses NSIS for installation instead of Inno Setup. Pronsis Loader typically delivers Lumma Stealer and Latrodectus payloads. It employs defense evasion techniques like excluding user directories from Windows Defender scans. The malware establishes persistence through scheduled tasks. Infrastructure analysis revealed multiple IP addresses and open directories used to host malicious files, particularly Lumma Stealer variants. This discovery highlights the evolving nature of malware threats and the need for continued vigilance in cybersecurity practices.
OPENCTI LABELS :
lumma stealer,latrodectus,d3f@ck loader,pronsis loader,jphp
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader