CherryLoader Malware Allows Serious Privilege Execution

A sporty, modular downloader allows hackers to cherry-pick their exploits — in this case, two powerful tools for gaining admin access in a Windows system.

Its the pits for admins: Researchers have discovered a threat actor achieving admin-level access on targeted systems by deploying a new, sophisticated downloader and a couple of privilege escalation tools from the potato family.
CherryLoader is a multistage, modular loader
written in Golang
, which with its name and logo attempts to masquerade as the legitimate
Cherrytree note-taking software
.
In two recent intrusions
observed by analysts at Arctic Wolf
, an attacker working from an IP in the Netherlands used CherryLoader to drop two notable off-the-shelf tools for gaining admin access. Finally, at the end of the attack chain, the adversary deployed a bash script in order to take Windows security tools out of the picture.
However, CherryLoaders niftiest feature is its ability to seamlessly swap payloads without having to recompile any code.
The ability to swap payloads in this case is an artifact of the modular design of the malware, Arctic Wolf’s senior manager of security research Kirk Soluk explains. Generally speaking, malware, whether it be a downloader, botnet, RAT, etc., has become more modular and less monolithic over time, so here we have an author using a more modern language [Go] and following a common design pattern.
As mentioned, the attacker behind the two recent intrusions used CherryLoaders modular flexibility to deploy two publicly available privilege escalation tools:
PrintSpoofer
and
JuicyPotatoNG
.
The latter is a recent iteration on a long line of potato-themed
privilege escalation tools
(the original
Juicy Potato
, BadPotato), as evidenced in its uninspiring sales pitch: another Windows local privilege escalation [tool] from service account to system.
The former is a popular tool, with 323 forks since its release more than three years ago. It, too,
according to its author
, follows from the potato lineage of Windows privilege escalators. It separates itself by taking advantage of
the so-called Printer Bug,
a means of manipulating an Active Directory (AD) Domain Controller to connect back to a system configured with unconstrained delegation. Unconstrained delegation is
a highly permissive AD configuration
that opens the door to impersonation within the system.
The hackers behind CherryLoader used these tools to gain high-level access in targeted systems, at which point they dropped user.bat, a batch file script which performs a series of persistence and anti-analysis functions. Among other things, it creates an admin account in the system, whitelists and excludes executable files in Windows Defender and Microsoft Defender, respectively, disables Microsoft defender AntiSpyware, and amends firewall rules to enable remote connections.
Arctic Wolf declined to comment on the outcome of either intrusion in this campaign.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CherryLoader Malware Allows Serious Privilege Execution