New TinyLoader Malware Attacking Windows Users Via Network Shares and Fake Shortcuts Files

Cybersecurity: TinyLoader Malware Update

A newly identified malware loader, TinyLoader, is affecting Windows systems by exploiting network shares and deceptive shortcut files.

Technical Details

First detected in late August 2025, TinyLoader installs multiple secondary payloads, including RedLine Stealer and DCRat, to facilitate credential theft, remote access, and cryptocurrency theft.

The loader has been observed spreading through corporate file shares, removable media, and social engineering tactics that trick users into executing malicious files.

Operational Characteristics

TinyLoader is notable for its aggressive lateral movement and sophisticated persistence mechanisms. It often gains initial access via open SMB resources, replicating itself as an innocuous “Update.exe” file and updating directory timestamps to avoid detection.

Upon execution, the loader connects to predefined command-and-control (C2) servers to download additional modules. Early C2 infrastructure was identified at IP addresses in Riga, Latvia, and further nodes in the UK and Netherlands.

The loader’s resemblance to modern malware-as-a-service platforms provides threat actors with an intuitive web portal for campaign management. It retrieves payloads from six hard-coded URLs, saving them to the Windows temporary directory for execution without user interaction.

Infection Mechanism

TinyLoader leverages network file sharing and fake Windows shortcuts for propagation. Upon obtaining administrative privileges, it modifies the Windows registry to hijack .txt file associations, ensuring any attempt to open a text file launches TinyLoader before displaying the document.

It also copies itself and malicious shortcut files to writable network shares, masquerading as a backup utility. The loader targets removable media, using enticing names like “Photo.jpg.exe” and an autorun.inf file to ensure execution on new hosts.

Defense Recommendations

Security teams should monitor registry changes affecting file associations, restrict executable creation on network shares, and inspect shortcut files for unusual targets. Combining signature-based detection of the “Login – TinyLoader” panel with behavioral monitoring of autorun activity can help mitigate the spread of this threat.