Unpacking BunnyLoader: The New Malware-as-a-Service Threat on the Block


Published on Oct 3, 2023   —   2 min read

Unpacking BunnyLoader

Meet BunnyLoader, the new kid on the malware block. Discovered by Zscaler's ThreatLabz, this hopping menace is more than just a cute name. It's a one-stop-shop for all your cyber-nefarious needs, from keylogging to stealing your hard-earned cryptocurrency. Let's hop right in and see what makes this bunny so bad, shall we?

Key Features and Rapid Development

BunnyLoader is a malware loader written in C/C++ and is sold on various forums for a price tag of $250. It's a fileless loader, meaning it executes further malware stages directly in memory, making it harder to detect. It also incorporates anti-analysis techniques and provides a web panel for its operators.

Since its initial release on September 4, 2023, BunnyLoader has been under rapid development. New versions have introduced features like browser history recovery, credit card information theft, and even VPN credential stealing. This rapid development cycle indicates that its creators are highly invested in its success.

The Command and Control Panel

The BunnyLoader Command and Control (C2) panel is the nerve center of the operation. It allows the attacker to download and execute additional malware, perform keylogging, steal credentials, and even manipulate a victim's clipboard to steal cryptocurrency. The panel also provides statistics on infections, active tasks, and logs.

Technical Analysis

Upon execution, BunnyLoader performs a series of actions to maintain persistence and evade detection. It creates a new registry value, hides its window, and even checks for virtual machines and sandbox environments. If it detects any, it throws an error message to mislead the user.

Task Execution

BunnyLoader can perform a variety of tasks, from downloading additional malware to running a keylogger and stealing credentials. It targets a wide range of web browsers and cryptocurrency wallets, and even VPN clients like ProtonVPN and OpenVPN. The stolen data is archived and sent to the C2 server.

The Clipper Module

One of the more insidious features is the clipper module, which monitors a victim's clipboard for cryptocurrency addresses. When it finds one, it replaces it with an address controlled by the attacker. This feature targets multiple cryptocurrencies, including Bitcoin, Monero, and Ethereum.

Indicators of Compromise

The C2 server associated with BunnyLoader is 37[.]139[.]129[.]145/Bunny/. Some of the BunnyLoader samples include:

  • dbf727e1effc3631ae634d95a0d88bf3
  • bbf53c2f20ac95a3bc18ea7575f2344b
  • 59ac3eacd67228850d5478fd3f18df78


BunnyLoader is a new and evolving MaaS threat. Being aware of its functionalities and taking appropriate countermeasures can go a long way in protecting your digital assets. For a deeper dive into BunnyLoader and to stay updated on the latest in cybersecurity, we invite you to check out the detailed report on Zscaler's ThreatLabz. Stay informed, stay safe!

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.