A freshly surfaced sample shows how the OffLoader loader family continues to exploit the pay-per-install ecosystem, arriving with anti-VM tricks, TLS callbacks, and a detection rate that should worry every blue team.
When a malware sample is flagged by only 4 out of 76 antivirus engines on VirusTotal, it doesn't mean the file is probably clean. It means the adversary is winning the evasion game.
On April 4, 2026, ThreatChain's enrichment pipeline ingested a PE32 executable — 8.4 MB, originating from the United States, compiled with Borland Delphi, and wrapped in an Inno Setup installer. The file carried the family signature OffLoader, a loader-class malware that has become a reliable workhorse in the pay-per-install (PPI) distribution ecosystem. Its delivery method? Dropped by GCleaner, a well-known PPI service that has been feeding commodity malware into consumer and enterprise environments for years.
What makes this sample particularly concerning isn't just its low detection rate. It's the combination of anti-analysis techniques, the multi-stage unpacking chain, and the breadth of secondary payloads it's designed to pull — including stealers, RATs, and browser hijackers. This is a sample worth dissecting.
OffLoader is a Windows-based loader — a category of malware whose primary purpose is not to steal data or encrypt files itself, but to establish a beachhead on a compromised system and then download, install, and execute additional malicious payloads. Think of it as a logistics operator for the malware supply chain.
OffLoader has been observed in the wild since at least 2024 and is closely associated with the GCleaner PPI network. GCleaner (sometimes stylized as G-Cleaner) masquerades as a system optimization or "junk cleaner" utility. Users download what they think is a legitimate cleanup tool; instead, the installer silently deploys one or more loaders — OffLoader chief among them — which then reach out to command-and-control infrastructure to retrieve the actual revenue-generating payloads.
The business model is straightforward: GCleaner operators get paid per installation. Their clients — the operators of infostealers, banking trojans, RATs, and adware — pay for each fresh victim machine that successfully runs their payload. OffLoader is the bridge between the initial infection and the monetization layer.
The PPI ecosystem has been undergoing a professionalization phase. Loaders like OffLoader, PrivateLoader, SmokeLoader, and BatLoader have evolved from crude droppers into sophisticated, multi-layered delivery platforms with robust anti-analysis capabilities. OffLoader's continued low detection rates suggest active maintenance — someone is updating its packing, obfuscation, and evasion routines to stay ahead of signature-based detection.
Based on the technical data from this sample and known OffLoader behavioral patterns, the infection chain unfolds in several stages:
The user encounters a GCleaner download — typically through SEO-poisoned search results, malvertising, or links on forums advertising "free PC optimization tools." The downloaded file appears to be a legitimate Inno Setup installer, a widely-used legitimate installer framework. This is a deliberate choice: Inno Setup installers are common enough that their presence alone doesn't raise alarms.
When executed, the Inno Setup package runs a multi-layer unpacking chain. UnpacMe analysis of this sample reveals at least three distinct binaries extracted during unpacking:
| Artifact | SHA256 |
|---|---|
| Outer packed binary | 9a5616c779815a0c7724761d62ba7a370a72b246ca17dd5de372f015007f9e8c |
| Unpacked child 1 | 212127c8b772b9aa761b273bd0ffa4c845a77e794393315be8b6db5accc87712 |
| Unpacked child 2 | 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95 |
The outer binary is packed with UPX (confirmed by ANY.RUN tags), and the Delphi-compiled core leverages TLS (Thread Local Storage) callbacks — a well-documented technique where code executes before the main entry point, making debugger attachment and breakpoint-based analysis significantly harder.
Before proceeding with its payload delivery mission, OffLoader performs environment validation. The YARA rule TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE firing on this sample confirms the presence of anti-VM and anti-sandbox checks. Common techniques in this family include:
The CP_Script_Inject_Detector YARA hit suggests the sample also contains or deploys script injection capabilities, potentially targeting browser processes or using PowerShell/WScript for post-exploitation activity.
Once satisfied it's running on a real victim machine, OffLoader contacts its C2 infrastructure to download secondary payloads. The ANY.RUN analysis tags on this sample are revealing — they paint a picture of the types of payloads being distributed through this particular OffLoader instance:
sainbox — SainBox RAT, a remote access trojancelestialrat — CelestialRAT, another RAT family providing full remote controlstealer — Generic infostealer payload (credential harvesting)chromelevator — A browser hijacker/manipulator targeting ChromeThis is consistent with the PPI model: a single loader delivering a cocktail of payloads from different "customers" of the distribution service.
The shellcode YARA hit indicates that OffLoader may use shellcode injection techniques for process hollowing or injection into legitimate Windows processes, enabling it to persist under the guise of trusted executables. The SHA512_Constants detection suggests the use of cryptographic routines — likely for C2 communication encryption or payload integrity verification.
| Indicator Type | Value | Context |
|---|---|---|
| SHA256 | 9a5616c779815a0c7724761d62ba7a370a72b246ca17dd5de372f015007f9e8c |
Primary sample (packed) |
| MD5 | 1621a29fbef409ec440f333951030984 |
Primary sample |
| SHA1 | 78bfba5c9618a09e0b7b66823bc58021e1549d63 |
Primary sample |
| SHA256 | 212127c8b772b9aa761b273bd0ffa4c845a77e794393315be8b6db5accc87712 |
Unpacked child binary |
| MD5 | b421b35ebf0e8c5c74840bae4b281663 |
Unpacked child binary |
| SHA256 | 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95 |
Unpacked child binary |
| MD5 | e4211d6d009757c078a9fac7ff4f03d4 |
Unpacked child binary |
| File Type | PE32 executable (GUI) Intel 80386 | Win32 EXE, Delphi/Borland compiled |
| File Size | 8,473,604 bytes (~8.4 MB) | Notably large for a loader — installer overhead |
| YARA | TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE |
Anti-VM behavior detected |
| YARA | pe_detect_tls_callbacks |
TLS callback anti-debug technique |
| YARA | CP_Script_Inject_Detector |
Script injection capability |
| Tags | dropped-by-GCleaner |
Distribution vector confirmed |
| VT Detection | 4/76 | Extremely low detection rate at time of analysis |
GCleaner has been documented by multiple security vendors as a persistent PPI distribution platform. In 2023, researchers at Sekoia published analysis connecting GCleaner to the distribution of multiple loader families, including PrivateLoader and various infostealers. The operation has remained active by continuously rotating its delivery infrastructure and updating its loader payloads.
The dropped-by-GCleaner tag on this sample confirms the distribution chain. For defenders, this is actionable intelligence: if you observe GCleaner activity on your network, you should assume OffLoader (and its downstream payloads) will follow.
The 4/76 VirusTotal detection rate is stark but not surprising. Several factors contribute:
Legitimate tooling as camouflage: The use of Inno Setup and Borland Delphi — both widely used in legitimate software — means heuristic engines must tread carefully to avoid false positives.
Active packer rotation: The UPX packing combined with custom Delphi obfuscation creates enough entropy variation to defeat static signatures.
Sandbox evasion: With anti-VM checks defeating automated analysis, many vendor sandboxes may see the sample execute benignly and classify it as clean — which is exactly what the vxCube: clean2 result reflects.
Low prevalence: Newer samples with limited distribution haven't yet generated enough telemetry for ML-based engines to flag them confidently.
If you run Delphi-compiled executable detection in your environment, cross-reference with:
- Executables over 5 MB launched from %TEMP% or %USERPROFILE%\Downloads
- Processes making outbound connections within 30 seconds of launch
- Any process with both UPX sections and TLS directory entries
OffLoader is not the flashiest malware family in circulation. It won't make front-page news. But that's precisely what makes it effective and what makes families like it dangerous at scale. The PPI ecosystem thrives on volume and stealth: thousands of infections, each one quiet enough to avoid triggering alerts, each one delivering multiple payloads that collectively generate significant criminal revenue.
The professionalization of malware distribution — where the loader, the distribution network, and the final payloads are all operated by different entities — means that stopping any single piece requires understanding the entire chain. OffLoader is one link. GCleaner is another. The RATs, stealers, and browser hijackers delivered downstream are yet more.
For defenders, the takeaway is clear: a sample that barely registers on VirusTotal is not a sample you can ignore. Detection rate is not risk score. Behavioral analysis, network monitoring, and robust endpoint controls remain the best countermeasures against threats that are specifically engineered to defeat signature-based detection.
This sample is being tracked by ThreatChain. Updated IOCs and behavioral signatures will be published as additional analysis becomes available.
Analysis based on ThreatChain enrichment data, ANY.RUN sandbox results, UnpacMe unpacking artifacts, and Spamhaus HBL intelligence. Sample first observed 2026-04-04.
Related resources: - ANY.RUN analysis - UnpacMe unpacking results - Spamhaus Hash Block List
This sample is available as a password-protected ZIP (password: infected) for security researchers.
ThreatChain indexes 2.6M+ threat indicators updated hourly. Search any hash, domain, wallet, or IP — free.
Search ThreatChain Now
Discussion
Log in with Discord to join the discussion.
Login with Discord