The so-called WikiLoader malware requests information from the Wikipedia site, possibly to verify its connection to the open internet.

New WikiLoader malware targets Italian organizations

Researchers have discovered a new malware strain aimed at Italian organizations through several phishing campaigns.

WikiLoader is “a sophisticated downloader” whose primary goal is to install another malicious payload on victims’ devices, including malware called Ursnif, according to researchers at Proofpoint.

WikiLoader was first identified in December 2022. Since then, researchers at the cybersecurity company say they identified at least eight campaigns distributing the malware.

The downloader was distributed by at least two hacking groups, labeled TA544 and TA551 by researchers. These are financially motivated threat actors that have previously targeted victims in Europe and Japan with Ursnif, Proofpoint says.

According to researchers, WikiLoader was likely developed as malware that can be rented out selectively by cybercriminals.

In the campaign analyzed by Proofpoint, hackers directed their efforts against Italian organizations.

In February, for example, the attackers sent emails with malicious Microsoft Excel attachments posing as an Italian courier service. Opening these files installed WikiLoader, which then downloaded Ursnif onto the victim's computer.

The most recent WikiLoader attack was observed in July 2023, according to Proofpoint.

Proofpoint researchers have identified at least three different versions of the malware, suggesting that it is under active development. The downloader’s authors also are improving its detection evasion techniques, making it challenging to analyze.

The malware is called WikiLoader because when it is active on a system, it sends a request to Wikipedia to check if the content of the response includes the string "The Free." The activity is likely a signal or identifier used by the malware to quietly verify its connection to the public internet, the researchers say.

Currently, Proofpoint has only seen WikiLoader deliver Ursnif as a second-stage payload. However, given its development, it could potentially be used by threat actors to deliver other types of malware payloads.

“This malware is in rapid development, and the threat actors are attempting to make the loader more complicated, and the payload more difficult to retrieve,” the researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.