Dissecting SSLoad Malware: A Comprehensive Technical Analysis

SSLoad is a modular, evolving malware campaign active since April 2024 that uses a novel patched DLL loader (PhantomLoader), self-modifying techniques, and a Rust-based downloader to retrieve additional payloads (including Cobalt Strike). Deliveries observed include phishing with decoy documents and MSI installers; the malware uses custom XOR/RC4 string decoding, API/PEB-based function resolution, Telegram as a dead-drop for C2 discovery, and communicates with a C2 at 85.239.53.219; multiple SHA256 file IOCs are published in the report.