Security researchers have started seeing attack campaigns that use a relatively new malware-as-a-service (MaaS) tool called AresLoader. The malicious program appears to be developed and used by several members of a pro-Russia hacktivist group and is typically distributed inside decoy installers for legitimate software.
Security researchers from threat intelligence firm Intel 471 first spotted AresLoader in November when it was advertised by a user with the monikers AiD Lock and DarkBLUP on Telegram and two well-known underground forums. AiD Lock is not a newcomer to malware development and was previously associated with the AiD Locker ransomware-as-a-service (RaaS) program as well as with a group called PHANTOM DEV or DeadXInject Hack.