The Pay-Per-Install (PPI) malware service, PrivateLoader, has been acquiring popularity in delivering a motley of malware. Usually, malware operators pay such service owners to get their payloads installed on their targets.

PrivateLoader service users

According to Intel 471 researchers, PrivateLoader, written in C++, has been used to deliver SmokeLoader, RedLine Stealer, Vidar, Raccoon, and GCleaner since May 2021. The accessibility and low cost of malware services such as PrivateLoader allow malware operators to use these services for fast and bulk geo-targeted infections. Other payload families pushed by PrivateLoader include DanaBot, CryptBot, BitRAT, Remcos, LockBit, NanoCore, TrickBot, Kronos, NjRAT Agent Tesla, and Formbook. It was also used to spread the Dridex botnet, Kronos banking trojan, and Discoloader, which are the loader malware used for spreading Conti ransomware.

Capabilities and offerings

In addition to cost-saving, these services provide several additional capabilities. It is controlled using a set of C2 servers and an administrator panel developed with AdminLTE 3. The administrative option of the PPI service has diverse functions, such as adding new users, configuring a link for payload, modifying geolocation based on the campaign, and encrypting load files. The service obtains URLs for malicious payloads deployed on the infected host. The distribution relies on a network of bait websites compromised to appear at the top in search results via SEO poisoning tactics targeting users seeking pirated software.


The large variety of malware delivered by PrivateLoader is concerning. The low cost, readily available services inspire more cybercriminals to take advantage of such PPI services, which poses a big challenge for the cybersecurity community. Thus, having awareness regarding such services is needed to develop countermeasures.