Cybercriminals have been launching malvertising attacks to facilitate the distribution of virtualized .NET loaders, dubbed "MalVirt," that deploy the Formbook and newer XLoader information-stealing malware strains, both of which have keylogging, credential theft, and additional malware staging capabilities, reports The Register. SentinelOne SentinelLabs researchers discovered that virtualization through .NET applications' KoiVM virtualizing protector enables obfuscation of the MalVirt loaders. "The distribution of this malware through the MalVirt loaders is characterized by an unusual amount of applied anti-analysis and anti-detection techniques," researchers said. Leveraging MalVirt loaders has gained traction among threat actors following Microsoft's decision to block macros by default in Office documents in an effort to curtail attacks. While info-stealers have been utilized for usual cybercrime objectives, some attackers have leveraged such malware for political intrusions, as evidenced by Russian phishing attacks against Ukraine. "In the case of an intricate loader, this could suggest an attempt to co-opt cybercriminal distribution methods to load more targeted second-stage malware onto specific victims after initial validation," researchers added.