Security researchers have uncovered details about “Ragnar Loader,” a sophisticated malware toolkit utilized by prominent cybercrime and ransomware groups including Ragnar Locker (Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (formerly REvil).

According to Swiss cybersecurity firm PRODAFT, “Ragnar Loader plays a key role in maintaining access to compromised systems, enabling attackers to persist in networks for extended operations.” While linked to the Ragnar Locker group, it remains unclear whether they own the toolkit or lease it to other threat actors.

First documented by Bitdefender in 2021 (also known as Sardonic), the malware has been operational since 2020. Symantec later identified an updated version being used by FIN8 to deliver BlackCat ransomware.

## Key Capabilities and Features

Ragnar Loader’s primary function is establishing persistent access within targeted environments while evading detection through:

– PowerShell-based payload execution
– Strong encryption and encoding (RC4 and Base64)
– Sophisticated process injection techniques
– Comprehensive anti-analysis mechanisms
– Backdoor operations via DLL plugins and shellcode
– File exfiltration capabilities
– Network lateral movement through PowerShell pivoting

The malware is distributed to affiliates as an archive package containing multiple components that enable reverse shell access, privilege escalation, and remote desktop control. It establishes communication with threat actors through a command-and-control panel.

A notable component is a Linux executable (named “bc”) designed to facilitate remote connections, allowing attackers to execute commands directly on compromised systems.

PRODAFT concludes that these features “exemplify the increasing complexity and adaptability of modern ransomware ecosystems,” highlighting how the toolkit continues to evolve with new capabilities that make it increasingly modular and difficult to detect.