VERY IMPORTANT

Trend Micro recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. During our analysis, Trend Micro discovered that NetDooka was being spread via the PrivateLoader malware which, once installed, starts the whole infection chain.