A Pay-Per-Install (PPI) malware service, PrivateLoader, has been gaining popularity in delivering a variety of malware. Usually, the malware operators pay such service owners to get their payloads installed on the targets.

PrivateLoader service users

According to Intel 471 researchers, PrivateLoader, written in C++, has been used to deliver SmokeLoader, RedLine Stealer, Vidar, Raccoon, and GCleaner since May 2021. 
  • The accessibility and low costs of malware services such as PrivateLoader allow malware operators to use these services for fast and bulk geo-targeted infections.
  • Other common payload families pushed by PrivateLoader include DanaBot, CryptBot, BitRAT, Remcos, LockBit, NanoCore, TrickBot, Kronos, NjRAT Agent Tesla, and Formbook.
  • Additionally, it has been used to spread the Dridex botnet, Kronos banking trojan, and Discoloader - a loader malware used for spreading Conti ransomware.

In addition to cost-saving, these services provide several additional capabilities.

Capabilities and offerings

PrivateLoader is controlled using a set of C2 servers and an administrator panel developed with AdminLTE 3.
  • The administrative panel of the PPI service has various functions, such as adding new users, configuring a link for payload, modifying geolocation based on the campaign, and encrypting load files.
  • The service obtains URLs for the malicious payloads deployed on the infected host.
  • The distribution relies on a network of bait websites compromised to appear at the top in search results via SEO poisoning tactics targeting users seeking pirated software.


The large variety of malware delivered by PrivateLoader is concerning. The low cost, readily available services inspire more cybercriminals to take advantage of such PPI services, which poses a great challenge for the cybersecurity community. Thus, having awareness regarding such services is important to develop countermeasures.

Cyware Publisher