TetraLoader Malware

TetraLoader is a sophisticated loader-type malware written in the Rust programming language. It has been actively deployed in targeted cyber-espionage campaigns since January 2025, primarily against U.S. local government networks. The malware is designed to deliver secondary payloads such as Cobalt Strike and VShell, facilitating long-term unauthorized access and data exfiltration.

Threat Overview

TetraLoader operates by decrypting an embedded payload and injecting it into legitimate system processes, such as Windows Notepad. This technique allows it to evade detection and establish a foothold within the compromised system. The malware is built using MaLoader, a publicly available malware-building framework written in Simplified Chinese, which has been accessible since December 2024.

The initial infection vector involves exploiting a critical zero-day vulnerability (CVE-2025-0994) in Trimble’s Cityworks infrastructure and operation management platform. After gaining access, attackers deploy web shells like AntSword and Chopper to maintain persistence and facilitate further malicious activities.

TetraLoader Malware Summary

Threat Type	Trojan, Loader
Detection Names	Avast (Win64:MalwareX-gen [Misc]), Combo Cleaner (Trojan.GenericKD.75847433), ESET-NOD32 (A Variant Of Win64/PSW.Agent_AGen.AF), Kaspersky (Trojan.Win32.CobaltStrike.iht), Microsoft (Trojan:Win64/CobaltStrike!rfn)
Payload	Cobalt Strike, VShell
Symptoms of Infection	Typically silent; no clear symptoms
Damage	Stolen passwords and banking information, identity theft, addition to botnet
Distribution Methods	Exploitation of CVE-2025-0994, infected email attachments, malicious online advertisements, social engineering, software ‘cracks’
Danger Level	High
Removal Tool	SpyHunter

In-Depth Analysis

How Did I Get Infected?

TetraLoader infections are primarily initiated through the exploitation of a critical vulnerability (CVE-2025-0994) in the Cityworks platform. Attackers gain initial access by deploying web shells and then introduce TetraLoader into the system. Other distribution methods include infected email attachments, malicious online advertisements, social engineering tactics, and the use of software ‘cracks’.

What Does It Do?

Once executed, TetraLoader decrypts its embedded payload and injects it into legitimate system processes to avoid detection. It then facilitates the download and execution of additional malicious components, such as Cobalt Strike and VShell, which are used for reconnaissance, data exfiltration, and maintaining persistent access to the compromised network.

Should You Be Worried?

Yes. TetraLoader is a high-risk threat that can lead to severe privacy issues, financial losses, and identity theft. Its ability to operate silently and deliver potent secondary payloads makes it a significant danger to any compromised system. Immediate action is required to detect and remove this malware to prevent further damage.

Manual Trojan Malware Removal Guide

Step 1: Boot into Safe Mode

1. Restart your computer.
2. Before Windows starts, press the F8 key (or Shift + F8 on some systems).
3. Select Safe Mode with Networking from the Advanced Boot Options menu.
4. Press Enter to boot.

This prevents the Trojan from running and makes it easier to remove.

---

Step 2: Identify and Stop Malicious Processes

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Go to the Processes tab (or Details in Windows 10/11).
3. Look for suspicious processes using high CPU or memory, or with unfamiliar names.
4. Right-click on the suspicious process and select Open File Location.
5. If the file is in a temporary or system folder and looks unfamiliar, it is likely malicious.
6. Right-click the process and choose End Task.
7. Delete the associated file in File Explorer.

---

Step 3: Remove Trojan-Related Files and Folders

1. Press Win + R, type %temp%, and press Enter.
2. Delete all files in the Temp folder.
3. Also check these directories for unfamiliar or recently created files:
   • C:\Users\YourUser\AppData\Local\Temp
   • C:\Windows\Temp
   • C:\Program Files (x86)
   • C:\ProgramData
   • C:\Users\YourUser\AppData\Roaming
4. Delete suspicious files or folders.

---

Step 4: Clean Trojan Malware from Registry

1. Press Win + R, type regedit, and press Enter.
2. Navigate to the following paths:
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Look for entries launching files from suspicious locations.
4. Right-click and delete any entries you don’t recognize.

Warning: Editing the registry can harm your system if done improperly. Proceed with caution.

---

Step 5: Reset Browser Settings

Google Chrome

1. Go to Settings > Reset Settings.
2. Click Restore settings to their original defaults and confirm.

Mozilla Firefox

1. Go to Help > More Troubleshooting Information.
2. Click Refresh Firefox.

Microsoft Edge

1. Go to Settings > Reset settings.
2. Click Restore settings to their default values.

---

Step 6: Run a Full Windows Defender Scan

1. Open Windows Security via Settings > Update & Security.
2. Click Virus & threat protection.
3. Choose Scan options, select Full scan, and click Scan now.

---

Step 7: Update Windows and Installed Software

1. Press Win + I, go to Update & Security > Windows Update.
2. Click Check for updates and install all available updates.

---

Automatic Trojan Removal Using SpyHunter

If manually removing the Trojan seems difficult or time-consuming, using SpyHunter is the recommended method. SpyHunter is an advanced anti-malware tool that detects and eliminates Trojan infections effectively.

Step 1: Download SpyHunter

Use the following official link to download SpyHunter: Download SpyHunter

For full instructions on how to install, follow this page: Official SpyHunter Download Instructions

---

Step 2: Install SpyHunter

1. Locate the SpyHunter-Installer.exe file in your Downloads folder.
2. Double-click the installer to begin setup.
3. Follow the on-screen prompts to complete the installation.

---

Step 3: Scan Your System

1. Open SpyHunter.
2. Click Start Scan Now.
3. Let the program detect all threats, including Trojan components.

---

Step 4: Remove Detected Malware

1. After the scan, click Fix Threats.
2. SpyHunter will automatically quarantine and remove all identified malicious components.

---

Step 5: Restart Your Computer

Restart your system to ensure all changes take effect and the threat is completely removed.

---

Tips to Prevent Future Trojan Infections

• Avoid downloading pirated software or opening unknown email attachments.
• Only visit trusted websites and avoid clicking on suspicious ads or pop-ups.
• Use a real-time antivirus solution like SpyHunter for ongoing protection.
• Keep your operating system, browsers, and software up to date.

Conclusion

TetraLoader represents a formidable threat in the cybersecurity landscape, combining stealthy operation with the delivery of powerful malicious tools. Its exploitation of critical vulnerabilities and use of sophisticated techniques underscore the importance of maintaining up-to-date security measures and exercising caution with unsolicited emails and downloads. Utilizing reputable security tools like SpyHunter can aid in the detection and removal of such threats, safeguarding your systems against potential breaches.