Ecipekac Loader discovered in A41APT campaign

A41APT is a long-running activity, with activities detected from March 2019 to December 2020. Most of the malware families found were fileless malware, which had never been seen before. One specific malware in this campaign is called Ecipekac (aka DESLoader, SigLoader and HEAVYHAND). It is a very complex multi-layer loader module used to deliver payloads such as SodaMaster (aka DelfsCake, dfls and DARKTOWN), P8 RAT (aka GreetCake and HEAVYPOT) and FYAnti (aka DILLJUICE stage2), which are finally loaded with QuasarRAT .

We observed a multi-layer x64 loader that was specifically used for this organization, and after finding the unique string in the second layer of the loader, we called it Ecipekac.

a41apt ecipekac

Ecipekac: Layer I loader


The Layer I loader abuses policytool.exe (a legitimate application usually packaged in the IBM Development Package of Eclipse) to load a malicious DLL named’jli.dll’ in the current directory through DLL side loading technology. The “jli.dll” file serves as the first layer of the Ecipekac loader. The DLL file has many export functions. However, they all reference similar functions with the main load function.

Ecipekac: Layer II loader shellcode


The Layer II loader is a simple shellcode that contains the data of the next DLL in the disordered part. First, this shellcode checks the magic string “ecipekac” in this data set. Then, it reconstructs and loads each part of the embedded data into the allocated memory in the correct order to create the original code of the DLL.

layer III loader DLL


The third layer loads the next layer in a similar way to the first layer. It reads the encrypted data from the end of “pcasvc.dll”, which is signed with a digital certificate, the same as in the case of “vac.dll”.

Ecipekac: Layer IV loader shellcode


In our research, we found three different types of Shellcode used as the fourth layer of Ecipekac.

The first type is shellcode. The behavior of the type is the same as Ecipekac Layer II Shellcode. The only difference is the embedded PE. In this case, the embedded PE is the final payload of Ecipekac. The payload of the first type of shellcode is “P8RAT” or “FYAnti loader “.

The second type is that Shellcode is completely different from other loader types.

The third type is the Cobalt Strike register.

Ecipekac’s payload


As mentioned earlier, in addition to the Cobalt Strike boarding machine, we also observed three final payloads injected by the Ecipekac loader during long-term operation.

  • P8RAT
  • SodaMaster
  • FYAnti loader for QuasarRAT


One of Ecipekac’s payload is a new fileless malware, which we call P8RAT (aka GreetCake). P8RAT has the following unique data structure for storing C2 communication configuration. In all the collected P8RAT samples, we found a total of 10 backdoor commands. The main purpose of P8RAT is to download and execute the payload (consisting of PE and shellcode) from its C2 server.


Another payload of the Ecipekac loader (we call SodaMaster (aka DelfsCake)) is also a new fileless malware. In our research, we found more than 10 SodaMaster samples. All samples collected by this module are almost the same, and the offsets and hexadecimal patterns of all functions match exactly. The only difference is the configuration data, including the hard-coded C2, the encoded RSA key, and other data used to calculate the value of the mutex.

FYAnti loader for QuasarRAT

The last observed payload type deployed by Ecipekac is a loader module called FYAnti loader. In the Ecipekac loader malware at the fourth level, the DLL is loaded into memory and an export with the name “F ** kY ** Anti” is called. Because of this unique string, we named this loader “FYAnti”. The execution flow of FYAnti has two additional layers to achieve the final stage, namely QuasarRAT (also known as xRAT).


Ecipekac loader

Ecipekac shellcode

Encrypted QuasarRAT