Dateline: June 17, 2026
OnionDrop Loader Uses Nation State Tricks to Hide Common Malware
Most malware tries to slip past security tools. The OnionDrop loader does something more deliberate. It checks your graphics card first, and if it does not like what it sees, it simply shuts down before anything happens.
What Happened?
Security researchers at Cyderes, working through their Howler Cell threat research team, just published a breakdown of OnionDrop, a loader that has been active since February and has already produced more than 645 unique malicious files. The campaign is still running, and analysts say its evasion design rivals tools normally built by nation state hacking groups, not run of the mill cybercriminals.
OnionDrop Loader, by the Numbers
The attack starts with a ZIP file. Inside sits a legitimate Adobe signed executable alongside two malicious DLL files and a 100 megabyte decoy file stuffed with random data to make the archive harder to analyze.
Once someone runs the Adobe file, it loads one of the malicious DLLs, which kicks off a four stage unpacking process involving custom encoding, compression, encryption with rotating keys, and a final step that runs through a Windows feature called Thread Pool callbacks instead of the usual methods security tools watch for.
Before any of that happens, the loader checks the system’s graphics hardware against a list of real GPU brands. If the machine looks like a virtual sandbox, the attack stops cold.
Once it clears those checks, OnionDrop reaches out to a command and control server at gainmsg dot com to fetch its final payload. Researchers have already linked it to three different threats. LegionLoader, also known as CurlyGate, a stealer called CGrabber, and the well known Vidar infostealer. That flexibility suggests one group is running several data theft operations at once using the same delivery system.
Four Ways OnionDrop Avoids Getting Caught
Built like nation state tooling, sold like commodity malware
GPU Fingerprinting
Checks the display adapter name. Anything that smells like a sandbox stops execution.
API Hammering
Floods the system with junk API calls so analysts cannot spot real malicious activity.
Thread Pool Abuse
Runs shellcode through Windows Thread Pool callbacks instead of methods most tools watch.
Rotating AES Keys
Changes encryption keys across stages, making static analysis far harder to pull off.
The Impact
What makes this worth watching is not just the malware itself, but what it represents. Attackers are spending real engineering time on loaders that exist purely to get past detection, then handing off to whatever payload makes the most money that week. For businesses, that means a single infected machine can quietly leak browser passwords, saved logins, and session data before anyone notices anything wrong.
How to Avoid This
- Security teams should watch for Adobe signed executables launching unexpected DLLs, flag any process using Thread Pool callbacks in unusual ways, and block known indicators tied to the gainmsg domain. Basic hygiene still matters too.
- Treat unexpected ZIP files from email or downloads with suspicion, and keep endpoint tools updated so they can catch sideloading behavior even when the loader looks legitimate on the surface.
Loaders Like OnionDrop Are Built to Outsmart Sandboxes, Not Common Sense
Secure.com gives security teams a way to catch DLL sideloading and unusual process behavior before a loader can finish its job. A few ways it helps.
- Flags executables that load unexpected DLLs, even when the parent file looks legitimate
- Surfaces unusual Thread Pool or memory execution patterns that traditional tools tend to miss
- Connects related alerts across endpoints so a single infected machine does not go unnoticed
- Speeds up the time it takes analysts to confirm whether a loader has already reached out to its command server
- Helps teams block known malicious infrastructure like the domains tied to active loader campaigns
