A new malware framework, NetDooka, has been spreading using the PrivateLoader Pay-Per-Install (PPI) malware distribution service. The malware allows attackers full access to a compromised device.

About NetDooka

NetDooka, a previously undocumented malware framework, is a loader, a dropper, and a protection driver that comes with a powerful RAT component using a custom network communication protocol.
  • NetDooka’s first samples were observed by researchers from TrendMicro, who warned that even though it is still in an early development stage, it is already a very capable tool.
  • The RAT component receives commands through TCP and has various functions such as file actions, logging keystrokes, DDoS attacks, executing shell commands, or remote desktop operations.

The infection chain

  • First, a loader is decrypted and executed, which checks Windows Registry for antivirus tools that will be disabled.
  • Next, a malicious set of drivers is installed, which acts as kernel-mode protection for the RAT component. These drivers prevent the termination of its processes as well as deletion of the payload.
  • Eventually, the framework communicates with the C2 server for obtaining the final payload, which is NetDooka RAT. In some instances, PrivateLoader directly drops the RAT.

PrivateLoader PPI service 

PrivateLoader PPI service was spotted last year and examined by Intel471 in February this year. 
  • It is a malware distribution platform that uses SEO poisoning and files uploaded to torrent sites.
  • It has been observed spreading different types of malware, such as Smokeloader, Raccoon Stealer, Redline, Vidar, Trickbot, Mars stealer, Remcos, Danabot, and other malware strains.


Although it is in an early development stage, NetDooka is a potentially dangerous threat. Additionally, the fact that it’s spread with the use of the PrivateLoader malware distribution service reflects its effectiveness, and developers regard the malware as ready to use in large-scale deployment.
Cyware Publisher