A dropper discovered by Deep Instinct was observed to be distributing a variety of different types of malware to victim systems. The initial loader, once executed on a system, establishes a connection with its C2 server and subsequently performs an IP check. After that, a series of executable are downloaded from either the C2 server itself or a file storage service using PowerShell. Most of the malware is commodity malware, specifically infostealers such as Vidar, Predator the Thief and Racoon stealer. The loader also includes a built-in cryptostealer and a custom RDP backdoor. The cryptostealing functionality begins with searching the system for evidence of crypto-currency related data. If found, PowerShell is used to download and install a DLL stealer, which in turn installs a browser credential harvester. After harvesting wallet files and both cryptowallet and browser credentials from the system, the data is uploaded to the C2 server. The aforementioned RDP backdoor comes in the form of an NSIS installer used to execute a PowerShell script. A UAC bypass is performed and then the PowerShell code used to create the RDP backdoor is saved to an DLL file masquerading as XML that is registered as a service.