Numerous malware strains, including Smokeloader, Vidar, and Redline, have been executed using the PrivateLoader pay-per-install loader since last May, ZDNet reports.

Threat actors could leverage Smokeloader, which is the most prevalent malware executed by the PPI loader, to steal data and perform reconnaissance, while the Vidar spyware could be used to exfiltrate documents, passwords, and digital wallet information, according to Intel 471.

Researchers discovered the use of PrivateLoader bots for Kronos banking trojan and Dridex botnet distribution. Moreover, another loader named Discoloader was leveraged for Conti ransomware deployment.

"PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals… By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader," said researchers.