A recent analysis conducted by the FortiGuard team has uncovered a group of malware droppers known as the “TicTacToe dropper.” These droppers have been active throughout 2023 and are responsible for delivering various final-stage payloads. This analysis reveals their sophisticated techniques and the potential risks they pose.


The TicTacToe dropper is designed to obfuscate final payloads during load and initial execution [3]. It achieves this by utilizing multiple stages of obfuscated payloads that load reflectively in memory. These droppers are commonly distributed through phishing emails as attachments packed inside iso files [2], allowing them to evade antivirus detection. At runtime [2], the droppers extract and load DLL files [2], with each layer of DLL being decoded by the previous layer [2].

FortiGuard researchers have identified a range of final-stage remote access tools (RATs) distributed by these droppers. These include Leonem, AgentTesla [1] [3], SnakeLogger [1] [3], RemLoader [1] [3], Sabsik [1] [3], LokiBot [1] [3], Taskun [1] [3], Androm [1] [3], Upatre [1] [3], and Remcos [1] [3]. The researchers have named this group of payloads the “TicTacToe dropper” due to a common Polish language string. It is important to note that these droppers are continuously evolving and are likely being sold as a service to threat actors.


The TicTacToe dropper poses a significant threat to organizations. To prevent the execution of these payloads [1], it is crucial for organizations to familiarize themselves with the operation of the dropper and implement appropriate preventive measures. By staying informed and proactive, organizations can mitigate the risks associated with the TicTacToe dropper and protect their systems and data from potential harm.


[1] https://www.infosecurity-magazine.com/news/tictactoe-dropper-malware/
[2] https://www.fortinet.com/blog/threat-research/tictactoe-dropper
[3] https://www.cybersecurity-review.com/tictactoe-dropper/