In October and November 2023 [1] [3] [4] [5] [6] [7], cybersecurity firm ESET observed a significant increase in the activity of the Win/TrojanDownloaderRugmi malware loader. This surge in detections is attributed to the availability of ready-made malware solutions [3], which have made it easier for less technically skilled threat actors to distribute various information stealers.


The Rugmi loader consists of three components: a downloader that retrieves an encrypted payload [1] [4] [5], a loader that executes the payload from internal resources [1] [4] [5], and another loader that runs the payload from an external file on the disk [1] [4] [5]. This loader has gained popularity due to the wide range of functions offered by Lumma Stealer, one of the information stealers it distributes. Other information stealers distributed by the Rugmi loader include Vidar, RecordBreaker [1] [2] [3] [4] [5] [6] [7], and Rescoms [1] [2] [3] [4] [5] [6] [7]. The number of daily detections of the Rugmi loader has increased significantly, from single digits to hundreds [4] [6] [7].


The rise in detections of the Rugmi loader highlights the impact of readily available malware solutions on the distribution of information stealers. The accessibility of these solutions has lowered the barrier for less technically skilled threat actors, leading to an increase in their malicious activities. To mitigate the risks posed by these malware loaders, it is crucial for organizations and individuals to maintain robust cybersecurity measures and stay updated with the latest threat intelligence. Additionally, the surge in detections serves as a reminder of the evolving nature of cyber threats and the need for continuous efforts in developing effective countermeasures.