Threat Overview

A stealthy new malware loader dubbed TinyLoader has begun proliferating across Windows environments, exploiting network shares and deceptive shortcut files to compromise systems worldwide. First detected in late August 2025, TinyLoader installs multiple secondary payloads—most notably RedLine Stealer and DCRat—transforming infected machines into fully weaponized platforms for credential theft, remote access, and cryptocurrency hijacking.

Analysts have observed rapid escalation in the loader’s deployment, with infections traced to corporate file shares, removable media, and social engineering tactics that entice unsuspecting users to execute malicious binaries. While malware loaders are not a novel threat, TinyLoader distinguishes itself through a combination of aggressive lateral movement and sophisticated persistence mechanisms.

Initial access is frequently achieved via network shares: the loader scans for open SMB resources, replicates itself as an innocuous “Update.exe” file, and updates directory timestamps to avoid detection. Once executed, it immediately reaches out to predefined command-and-control (C2) servers to download additional modules.

Key Details

• Threat Report Published by: CyberHunter_NL on 2025-09-03T12:29:16.565Z
• Initial Detection: Late August 2025
• Main Payloads: RedLine Stealer, DCRat

Command and Control Infrastructure

Hunt.io researchers identified early C2 infrastructure hosted at IP addresses 176.46.152.47 and 176.46.152.46 in Riga, Latvia, with further nodes in the UK and Netherlands, all operated under a single hosting provider to streamline deployment.

Infection Mechanism: Network Share Propagation and Fake Shortcuts

TinyLoader’s primary infection vector leverages both network file sharing and social engineering via fake Windows shortcuts. Upon gaining administrative privileges, the loader injects itself into the Windows registry to hijack .txt file associations:

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\System32\cmd.exe" /c start "" "C:\Windows\System32\Update.exe" "%1"

This modification ensures that any attempt to open a text file silently launches TinyLoader first, before displaying the legitimate document. Concurrently, the malware scans writable network shares, copying both “Update.exe” and malicious shortcut files named “Documents Backup.lnk.” When these shortcuts are double-clicked, they execute TinyLoader while masquerading as a user-friendly backup utility.

Propagation via Removable Media

The loader also targets removable media: every USB insertion triggers replication of TinyLoader under enticing names like “Photo.jpg.exe.” An accompanying autorun.inf file guarantees execution on the next host, perpetuating the infection cycle. Together, these techniques create a resilient propagation mechanism that spans both local and enterprise networks, making TinyLoader exceptionally difficult to eradicate once established.

Detection and Mitigation

Defenders are urged to monitor registry changes affecting file associations, deploy policies restricting executable creation on network shares, and inspect shortcut files for unusual targets. By combining signature-based detection of the “Login – TinyLoader” panel with behavioral monitoring of autorun activity, security teams can mitigate the rapid spread of this emerging threat.

Recommendations

• Monitor registry changes affecting file associations
• Deploy policies restricting executable creation on network shares
• Inspect shortcut files for unusual targets