Olymp Loader, a new malware-as-a-service (MaaS), has emerged and is being aggressively marketed on underground hacker forums. First advertised in June 2025 by an operator known as “OLYMPO,” this sophisticated tool is written entirely in Assembly language, aiming to attract cybercriminals with claims of high performance and resistance to reverse engineering.
The Olymp Loader operates as a versatile suite, functioning as a loader, crypter, and stealer. This functionality significantly reduces the technical barrier for attackers looking to deploy advanced evasion techniques and complex infection routines. The malware has rapidly gained notoriety for its stated “Fully UnDetectable” (FUD) status, exhibiting remarkably low detection rates on platforms like VirusTotal. Its distribution relies on social engineering campaigns, often masquerading as legitimate software downloads such as PuTTY, Zoom, or Node.js executables hosted on popular platforms like GitHub. This deceptive distribution vector, coupled with the use of reputable hosting sites, complicates detection as network traffic often appears legitimate to security appliances.
Analyzed by security experts, Olymp Loader has been observed to frequently deliver dangerous payloads including LummaC2 and Raccoon Stealer. Researchers noted the malware’s rapid evolution, including a strategic shift in early August from a botnet architecture to a more streamlined dropper model. This adaptability underscores the developer’s capacity to quickly address technical challenges and cater to the demands of the cybercriminal community regarding stealth and efficacy.
Olymp Loader’s Advanced Anti-Analysis and Detection Evasion
Following a significant restructuring on August 3, 2025, Olymp Loader integrated advanced anti-analysis mechanisms to enhance its infection success rate. The malware now embeds encrypted payloads directly within its stub, only executing them after attempting to neutralize local security defenses. A key component of this evasion strategy involves the forcible disabling of Windows Defender. The loader employs specific PowerShell commands to impair real-time monitoring and exclude critical directories from scans. One such command documented uses:
powershell -NoProfile -Command “Set-MpPreference -DisableRealtimeMonitoring $true”
Subsequently, the malware drops executables into the temporary directory and utilizes a “Defender Remover” tool. This process involves employing PowerRun.exe to alter registry settings through files like RemoveDefender.reg and deleting essential system files such as SecurityHealthSystray.exe. It also targets the WinSxS folder to remove file mappings associated with Defender. This aggressive approach to nullifying defenses aims to ensure that payloads execute without interference from endpoint protection solutions.
Further tactical shifts were observed in the subsequent days. By August 10, 2025, security analysts identified samples that replaced explicit disabling commands with extensive directory exclusion lists. These lists encompass common locations such as %APPDATA% and %DESKTOP%, a strategy designed to achieve stealthier evasion without triggering immediate alerts. This constant evolution highlights Olymp Loader’s capability to bypass standard security controls effectively and covertly.
The continued development and aggressive marketing of Olymp Loader suggest that it will likely remain a significant threat in the cyber landscape. Its modular design and adaptability point towards ongoing advancements in its evasion techniques. Security professionals are advised to monitor for new variants and to implement robust, multi-layered security strategies that include behavior-based detection and continuous threat intelligence monitoring to counter this evolving MaaS. The reliance on social engineering for initial access also underscores the persistent importance of user education and awareness in mitigating the impact of such threats.