"CherryLoader Malware: Mimicking CherryTree for Privilege Escalation"
A new Go-based malware loader called CherryLoader has been discovered, masquerading as the legitimate CherryTree note-taking application, to deliver privilege escalation tools such as PrintSpoofer and JuicyPotatoNG onto compromised hosts for follow-on exploitation. It packs modularized features that allow threat actors to swap exploits without recompiling code and uses encryption methods and anti-analysis techniques to evade detection. The loader is distributed through a RAR archive file and leverages fileless techniques for execution, ultimately setting up persistence on the host and disarming Microsoft Defender.