Loader / Dropper — Malware Components Used to Deliver and Execute Payloads
A Loader or Dropper is a malware component designed to install or execute additional malicious payloads on a compromised system. This SECMONS glossary entry explains how loaders and droppers function, how they differ, and why they are central to modern malware campaigns.
What Is a Loader or Dropper?
A Loader or Dropper is a type of malware whose primary purpose is to deliver, install, or execute another malicious payload.
Unlike ransomware or backdoors, loaders and droppers are often transitional components in a broader attack chain.
They frequently appear during:
- /glossary/initial-access/
- Exploitation of vulnerabilities listed under /vulnerabilities/
- Phishing campaigns
- Malicious software downloads
Their objective is not the final impact — it is to enable it.
Loader vs Dropper — Key Differences
Although often used interchangeably, they are not identical.
| Term | Function |
|---|---|
| Dropper | Contains embedded malicious payload and writes it to disk |
| Loader | Retrieves payload from remote infrastructure and executes it |
| Downloader | Variant that fetches payloads from external servers |
| Stager | Lightweight initial component in multi-stage malware |
Loaders commonly connect to infrastructure described under /glossary/command-and-control/ to retrieve additional components.
Why Loaders and Droppers Matter
Modern attacks rarely rely on a single executable.
Instead, attackers deploy staged payloads:
- Initial infection vector
- Loader or dropper execution
- Secondary payload retrieval
- Persistence establishment
- Privilege escalation
- Lateral movement
- Final objective (e.g., /glossary/ransomware/ deployment or data exfiltration)
This modular approach complicates detection and attribution.
How Loaders and Droppers Are Delivered
Common delivery methods include:
- Malicious email attachments
- Weaponized documents
- Drive-by downloads
- Exploit kits
- Compromised websites
- Software supply chain compromise
Attackers may also combine loaders with:
- /glossary/defense-evasion/
- Obfuscation techniques
- Encrypted payload delivery
Loader / Dropper vs Backdoor
| Concept | Role in Attack |
|---|---|
| Loader / Dropper | Delivery mechanism |
| Backdoor | Persistent access mechanism |
| Web Shell | Web-based backdoor |
| Botnet | Distributed infected infrastructure |
Loaders enable compromise. Backdoors sustain it.
Detection Challenges ️
Loaders and droppers are difficult to detect because:
- They may appear benign on initial execution
- Payload retrieval may occur later
- Communication may use encrypted channels
- Behavior may mimic legitimate software updates
- They may self-delete after execution
Detection often relies on behavioral analysis rather than static signatures.
Defensive Considerations ️
Mitigating loader and dropper risk requires:
- Email filtering and sandboxing
- Endpoint detection and response (EDR)
- Application whitelisting
- Monitoring abnormal process behavior
- Restricting outbound connections
- Strong patch management under /glossary/patch-management/
- User awareness training
If a vulnerability is marked as /glossary/exploited-in-the-wild/, attackers may rapidly weaponize it with staged loaders.
Why SECMONS Treats Loaders and Droppers as Strategic
Loaders and droppers represent the bridge between exploitation and full compromise.
Understanding staged malware architecture allows defenders to detect early phases before impact escalates.
Authoritative References
- MITRE ATT&CK — Execution & Command and Control Techniques
- CISA Malware Analysis Resources