This article was originally published on ThreatChain — decentralized threat intelligence.
A freshly surfaced sample shows how the OffLoader loader family continues to exploit the pay-per-install ecosystem, arriving with anti-VM tricks, TLS callbacks, and a detection rate that should worry every blue team.
The 4/76 Problem
When a malware sample is flagged by only 4 out of 76 antivirus engines on VirusTotal, it doesn't mean the file is probably clean. It means the adversary is winning the evasion game.
On April 4, 2026, ThreatChain's enrichment pipeline ingested a PE32 executable — 8.4 MB, originating from the United States, compiled with Borland Delphi, and wrapped in an Inno Setup installer. The file carried the family signature OffLoader, a loader-class malware that has become a reliable workhorse in the pay-per-install (PPI) distribution ecosystem. Its delivery method? Dropped by GCleaner, a well-known PPI service that has been feeding commodity malware into consumer and enterprise environments for years.
What makes this sample particularly concerning isn't just its low detection rate. It's the combination of anti-analysis techniques, the multi-stage unpacking chain, and the breadth of secondary payloads it's designed to pull — including stealers, RATs, and browser hijackers. This is a sample worth dissecting.
What Is OffLoader?
OffLoader is a Windows-based loader — a category of malware whose primary purpose is not to steal data or encrypt files itself, but to establish a beachhead on a compromised system and then download, install, and execute additional malicious payloads. Think of it as a logistics operator for the malware supply chain.
OffLoader has been observed in the wild since at least 2024 and is closely associated with the GCleaner PPI network. GCleaner (sometimes stylized as G-Cleaner) masquerades as a system optimization or "junk cleaner" utility. Users download what they think is a legitimate cleanup tool; instead, the installer silently deploys one or more loaders — OffLoader chief among them — which then reach out to command-and-control infrastructure to retrieve the actual revenue-generating payloads.
The business model is straightforward: GCleaner operators get paid per installation. Their clients — the operators of infostealers, banking trojans, RATs, and adware — pay for each fresh victim machine that successfully runs their payload. OffLoader is the bridge between the initial infection and the monetization layer.
Why It Matters Now
The PPI ecosystem has been undergoing a professionalization phase. Loaders like OffLoader, PrivateLoader, SmokeLoader, and BatLoader have evolved from crude droppers into sophisticated, multi-layered delivery platforms with robust anti-analysis capabilities. OffLoader's continued low detection rates suggest active maintenance — someone is updating its packing, obfuscation, and evasion routines to stay ahead of signature-based detection.
Attack Chain Breakdown
Based on the technical data from this sample and known OffLoader behavioral patterns, the infection chain unfolds in several stages:
Stage 1: Social Engineering & Initial Delivery
The user encounters a GCleaner download — typically through SEO-poisoned search results, malvertising, or links on forums advertising "free PC optimization tools." The downloaded file appears to be a legitimate Inno Setup installer, a widely-used legitimate installer framework. This is a deliberate choice: Inno Setup installers are common enough that their presence alone doesn't raise alarms.
Stage 2: Installer Execution & Unpacking
When executed, the Inno Setup package runs a multi-layer unpacking chain. UnpacMe analysis of this sample reveals at least three distinct binaries extracted during unpacking:
| Artifact | SHA256 |
|---|---|
| Outer packed binary | 9a5616c779815a0c7724761d62ba7a370a72b246ca17dd5de372f015007f9e8c |
| Unpacked child 1 | 212127c8b772b9aa761b273bd0ffa4c845a77e794393315be8b6db5accc87712 |
| Unpacked child 2 | 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95 |
The outer binary is packed with UPX (confirmed by ANY.RUN tags), and the Delphi-compiled core leverages TLS (Thread Local Storage) callbacks — a well-documented technique where code executes before the main entry point, making debugger attachment and breakpoint-based analysis significantly harder.
Stage 3: Anti-Analysis & Environment Checks
Before proceeding with its payload delivery mission, OffLoader performs environment validation. The YARA rule TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE firing on this sample confirms the presence of anti-VM and anti-sandbox checks. Common techniques in this family include:
- Registry checks for VMware, VirtualBox, and Hyper-V artifacts
- WMI queries for hardware characteristics (CPU core count, RAM size, disk capacity) that indicate virtualized environments
- Timing checks to detect artificial execution acceleration used by sandboxes
- Process enumeration looking for analysis tools (Wireshark, Process Monitor, x64dbg, IDA Pro)
The CP_Script_Inject_Detector YARA hit suggests the sample also contains or deploys script injection capabilities, potentially targeting browser processes or using PowerShell/WScript for post-exploitation activity.
Stage 4: Payload Retrieval & Execution
Once satisfied it's running on a real victim machine, OffLoader contacts its C2 infrastructure to download secondary payloads. The ANY.RUN analysis tags on this sample are revealing — they paint a picture of the types of payloads being distributed through this particular OffLoader instance:
-
sainbox— SainBox RAT, a remote access trojan -
celestialrat— CelestialRAT, another RAT family providing full remote control -
stealer— Generic infostealer payload (credential harvesting) -
chromelevator— A browser hijacker/manipulator targeting Chrome
This is consistent with the PPI model: a single loader delivering a cocktail of payloads from different "customers" of the distribution service.
Stage 5: Persistence & Lateral Utility
The shellcode YARA hit indicates that OffLoader may use shellcode injection techniques for process hollowing or injection into legitimate Windows processes, enabling it to persist under the guise of trusted executables. The SHA512_Constants detection suggests the use of cryptographic routines — likely for C2 communication encryption or payload integrity verification.
Indicator of Compromise (IOC) Table
| Indicator Type | Value | Context |
|---|---|---|
| SHA256 | 9a5616c779815a0c7724761d62ba7a370a72b246ca17dd5de372f015007f9e8c |
Primary sample (packed) |
| MD5 | 1621a29fbef409ec440f333951030984 |
Primary sample |
| SHA1 | 78bfba5c9618a09e0b7b66823bc58021e1549d63 |
Primary sample |
| SHA256 | 212127c8b772b9aa761b273bd0ffa4c845a77e794393315be8b6db5accc87712 |
Unpacked child binary |
| MD5 | b421b35ebf0e8c5c74840bae4b281663 |
Unpacked child binary |
| SHA256 | 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95 |
Unpacked child binary |
| MD5 | e4211d6d009757c078a9fac7ff4f03d4 |
Unpacked child binary |
| File Type | PE32 executable (GUI) Intel 80386 | Win32 EXE, Delphi/Borland compiled |
| File Size | 8,473,604 bytes (~8.4 MB) | Notably large for a loader — installer overhead |
| YARA | TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE |
Anti-VM behavior detected |
| YARA | pe_detect_tls_callbacks |
TLS callback anti-debug technique |
| YARA | CP_Script_Inject_Detector |
Script injection capability |
| Tags | dropped-by-GCleaner |
Distribution vector confirmed |
| VT Detection | 4/76 | Extremely low detection rate at time of analysis |
The GCleaner Connection
GCleaner has been documented by multiple security vendors as a persistent PPI distribution platform. In 2023, researchers at Sekoia published analysis connecting GCleaner to the distribution of multiple loader families, including PrivateLoader and various infostealers. The operation has remained active by continuously rotating its delivery infrastructure and updating its loader payloads.
The dropped-by-GCleaner tag on this sample confirms the distribution chain. For defenders, this is actionable intelligence: if you observe GCleaner activity on your network, you should assume OffLoader (and its downstream payloads) will follow.
Detection Gaps and Why AV Alone Isn't Enough
The 4/76 VirusTotal detection rate is stark but not surprising. Several factors contribute:
Legitimate tooling as camouflage: The use of Inno Setup and Borland Delphi — both widely used in legitimate software — means heuristic engines must tread carefully to avoid false positives.
Active packer rotation: The UPX packing combined with custom Delphi obfuscation creates enough entropy variation to defeat static signatures.
Sandbox evasion: With anti-VM checks defeating automated analysis, many vendor sandboxes may see the sample execute benignly and classify it as clean — which is exactly what the
vxCube: clean2result reflects.Low prevalence: Newer samples with limited distribution haven't yet generated enough telemetry for ML-based engines to flag them confidently.
Defensive Recommendations
Immediate Actions
- Hunt for the IOCs listed above across your EDR, proxy logs, and file repositories. The unpacked child hashes are particularly valuable since they survive re-packing of the outer layer.
- Block Inno Setup installers from untrusted sources at the email and web gateway level. If your organization doesn't distribute software via Inno Setup, consider alerting on or blocking its execution from user temp directories.
- Monitor for TLS callback abuse: EDR solutions that hook at the thread level should flag executables using TLS callbacks in conjunction with other suspicious behaviors (e.g., immediate network connections, process injection).
Strategic Defenses
- Application whitelisting remains the single most effective control against loader-class malware. If the executable isn't on the approved list, it doesn't run — regardless of how sophisticated its evasion is.
- DNS and network monitoring: OffLoader must call home. Monitor for newly registered domains, connections to IP ranges not associated with your business operations, and unusual HTTP/HTTPS patterns from workstation processes.
- User awareness training focused specifically on "free utility" lures. GCleaner's entire distribution model depends on users voluntarily downloading and executing the initial installer.
- Behavioral detection rules: Write or tune detection logic for the combination of (a) Inno Setup installer execution from a browser download directory, followed by (b) child process spawning, followed by (c) outbound network connections. This behavioral chain is far more durable than hash-based detection.
Threat Hunting Queries
If you run Delphi-compiled executable detection in your environment, cross-reference with:
- Executables over 5 MB launched from
%TEMP%or%USERPROFILE%\Downloads - Processes making outbound connections within 30 seconds of launch
- Any process with both UPX sections and TLS directory entries
The Bigger Picture
OffLoader is not the flashiest malware family in circulation. It won't make front-page news. But that's precisely what makes it effective and what makes families like it dangerous at scale. The PPI ecosystem thrives on volume and stealth: thousands of infections, each one quiet enough to avoid triggering alerts, each one delivering multiple payloads that collectively generate significant criminal revenue.
The professionalization of malware distribution — where the loader, the distribution network, and the final payloads are all operated by different entities — means that stopping any single piece requires understanding the entire chain. OffLoader is one link. GCleaner is another. The RATs, stealers, and browser hijackers delivered downstream are yet more.
For defenders, the takeaway is clear: a sample that barely registers on VirusTotal is not a sample you can ignore. Detection rate is not risk score. Behavioral analysis, network monitoring, and robust endpoint controls remain the best countermeasures against threats that are specifically engineered to defeat signature-based detection.
This sample is being tracked by ThreatChain. Updated IOCs and behavioral signatures will be published as additional analysis becomes available.
Analysis based on ThreatChain enrichment data, ANY.RUN sandbox results, UnpacMe unpacking artifacts, and Spamhaus HBL intelligence. Sample first observed 2026-04-04.
Related resources:
Top comments (0)