New Malware-as-a-Service Olymp Loader Promises Defender-Bypass With Automatic Certificate Signing

The cybersecurity community is currently observing a surge in interest around Olymp Loader, a recently unveiled Malware-as-a-Service (MaaS) platform written entirely in Assembly. Its author, operating under the alias OLYMPO, touts the service as Fully UnDetectable (FUD), claiming that its advanced design can bypass modern antivirus engines and evade machine-learning–based heuristics.

As reported on HackForums and other underground venues, they have implemented features such as deep XOR encryption for payload modules, UAC‐Flood privilege escalation, and automatic Windows Defender exclusions. On August 5, 2025, OLYMPO announced pricing tiers ranging from a basic stub at USD 50 to a fully customized injection service at USD 200, with all packages including a “Defender-way” bypass, Defender-removal module, and automatic certificate signing to lend samples a veneer of legitimacy.

By early August, this workflow was augmented with a Defender Remover module, publicly available on GitHub, which executes PowerRun[.]exe and a RemoveSecHealthApp[.]ps1 script to terminate Defender services before adding exhaustive exclusion paths (APPDATA, LOCALAPPDATA, Desktop, StartMenu, and more) via Add-MpPreference. The loader’s shellcode component leverages the LoadPE method for code‐cave–based injection into legitimate processes, supporting 32‐bit, 64‐bit, .NET, and Java payloads. Unique shellcode initialization routines further obfuscate the loader’s purpose, while a custom certificate signing feature signs both the stub and modules, complicating detection by reputation‐based systems.

To read the complete article see: Cyber Security News.