SEKOIA observed that PrivateLoader is one of the most widely used loaders in 2022. It is used by a Pay-Per-Install service to deploy multiple malicious payloads on the infected hosts. We tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth analysis of the malware. Moreover, our investigations on Dark Web forums allow us to associate PrivateLoader to a Pay-Per-Install malware service. We published results of our analysis in the [FLINT 2022-048 report](https://app.sekoia.io/intelligence/objects/report--4724d179-4eb7-417d-be47-1c6092a85c21). SEKOIA analysts also took the occasion to present Pay-Per-Install malware service and its key role in the distribution of threats, as well as the underground economy. SEKOIA analysts will continue to monitor PrivateLoader and the distributed malware to produce actionable intelligence to our customers, including indicators of compromise for multiple malware families.  Related resources: * [FLINT 2022-048 - PrivateLoader: the loader of the prevalent ruzki PPI service](https://app.sekoia.io/intelligence/objects/report--4724d179-4eb7-417d-be47-1c6092a85c21) * [PrivateLoader malware page](https://app.sekoia.io/intelligence/objects/malware--f7f5b70a-9d64-430c-b845-ababa0646035) * [ruzki threat actor page](https://app.sekoia.io/intelligence/objects/threat-actor--82e6a06d-1611-4af3-8c70-ed25eeae5e5a)