Zscaler ThreatLabz [1] [2] [7], a group of cybersecurity experts, has recently discovered a new threat known as BunnyLoader. This malware-as-a-service (MaaS) loader is actively being developed and poses a challenge for experts due to its fileless execution.


BunnyLoader is a fileless loader malware that is being sold on multiple hacking forums for $250. It offers a range of functionalities, including keylogging [2], clipboard monitoring for cryptocurrency theft [2] [7], and remote command execution capabilities [2] [7]. Since its release in September 2023 [2] [7], BunnyLoader has undergone several iterations [2] [7], with updates addressing bugs and introducing new features [2] [7]. The malware’s core functions are controlled through a command-and-control (C2) panel [7], which oversees tasks such as downloading additional malware [2] [7], keylogging [2] [3] [7], credential theft [2] [7], and remote command execution [2] [3] [7]. To ensure persistence, BunnyLoader makes changes to the Windows Registry and performs sandbox and virtual machine checks before activating its malicious behavior [4]. It also possesses anti-analysis techniques and interacts with C2 servers to evade detection. One notable feature is a clipper module that replaces cryptocurrency addresses in the victim’s clipboard [7]. BunnyLoader targets cryptocurrency wallets and messaging applications [5], and can have severe implications [5], including privacy breaches [5], financial losses [5], compromised security [5], and legal ramifications [5]. Users of BunnyLoader have access to statistics and can manage active tasks [5]. Zscaler’s security researchers are committed to monitoring these attacks and protecting customers from BunnyLoader’s evolving tactics and new features [7]. They have published a detailed report on BunnyLoader to provide further information and guidance.


BunnyLoader is a continuously evolving C/C++-based loader that integrates anti-sandbox and antivirus evasion techniques [6]. Its fileless loading capability makes it difficult for antivirus solutions to detect and remove [6]. Managed through a command-and-control (C2) panel [6] [7], BunnyLoader allows buyers to monitor active tasks [6], infection statistics [5] [6], and control compromised machines [6]. Its advanced capabilities and ability to evade detection pose a significant risk [6], emphasizing the need for organizations to adopt robust cybersecurity measures [6]. Zscaler’s ThreatLabz team will continue to monitor BunnyLoader to protect their customers [2].


[1] https://www.cybersecurity-review.com/news-september-2023/bunnyloader-the-newest-malware-as-a-service/
[2] https://summamoney.com/investing/the-daily/bunnyloader-malware-targets-browsers-and-cryptocurrency/
[3] https://cybersecuritynews.com/bunnyloader-malware-as-a-service/
[4] https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html
[5] https://www.pcrisk.com/removal-guides/27955-bunnyloader-malware
[6] https://cybermaterial.com/evolving-threat-of-bunnyloader/
[7] https://www.claytoncountyregister.com/news2/bunnyloader-malware-targets-browsers-and-cryptocurrency/525412/