Skip to main content

Home DBatLoader


Also known as: nModiLoader, NatsoLoader

Category: Malware

Type: loader, dropper

Platform: Windows

Damage potential: Stolen financial information, camera hijacking, taking unauthorized screenshots, adding the victim’s device to a botnet, web injection, keylogging, opening backdoors for other malware (like ransomware)


DBatLoader (also known as ModiLoader and NatsoLoader) is a Delphi-based loader that often hosts its payloads on legitimate platforms (such as cloud services or WordPress sites with authorized SSL certificates) to evade detection. DBatLoader payloads include WarzoneRAT, Formbook, and Remcos RAT.

Possible symptoms

DBatLoader relies on stealth to deliver its payload — in fact, one of the hallmarks of DBatLoader is its ability to bypass User Account Control (UAC) notifications while performing privilege escalation on the victim’s device. As a result, victims typically notice the payload infection (such as Warzone RAT) first, which tips them off about the presence of DBatLoader.

Possible indicators of a DBatLoader infection include:

  • Your device frequently freezes or stutters.
  • You realize you’ve been redirected to a fake website after clicking a legitimate link.
  • Other malware appears on your device without a known cause.
  • Your device’s fan seems to be constantly on, even when the device is idle.
  • Your device downloads data from remote servers without any prompting (DBatLoader is downloading second stage installation files or its payload malware).

Sources of infection

DBatLoader is usually distributed through fake attachments in phishing emails. The attachment may contain a misleading link to download DBatLoader or be an installation file in disguise. Once it has taken root in the victim’s system, DBatLoader will attempt to download its payload malware from compromised legitimate websites (i.e., websites with intact SSL certificates) to evade detection.

Your device may also get infected with DBatLoader from:

  • Infected files shared through messaging platforms.
  • Infected files downloaded from cloud storage or online repositories.
  • Other viruses that drop DBatLoader as part of their operations.
  • Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
  • Peer-to-peer (P2P) sharing of infected files.
  • Infected external devices, such as hard drives or USB sticks.


To protect yourself against DBatLoader, it is a good idea to set UAC to “Always notify” — that way, DBatLoader will not be able to perform privilege escalation in the background. You should also start practicing good cyber hygiene to avoid phishing attacks, which are the most common vector for DBatLoader infections. Learn to recognize spam emails, avoid opening suspicious attachments, and scan any file you download for malware before running it.

Other protective measures include:

  • Use email scanning tools to identify and automatically block messages with suspicious attachments.
  • Use multi-factor authentication to protect your accounts in the event that someone steals your password using Gootkit.
  • Avoid potentially dangerous websites like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including DBatLoader) to your device by exploiting vulnerabilities.
  • Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.


DBatLoader is very difficult to remove manually — it will modify autorun registry keys and create copies of itself in mock trusted directories to achieve a high degree of persistence. The best way to eliminate DBatLoader from your system is to use reliable antivirus software.