Subscribe to the Non-Human & AI Identity Journal
Threats, Abuse & Incident Response

Loader

← Back to Glossary
By NHI Mgmt Group Updated July 14, 2026 Domain: Threats, Abuse & Incident Response

A loader is malware whose main job is to retrieve, decrypt, inject, or launch a second-stage payload. In these campaigns, loaders are not the final objective. They are the mechanism that turns an initial click into remote access, persistence, or data theft.

Expanded Definition

A loader is malware designed to establish the next stage of an intrusion rather than deliver the final impact itself. It typically retrieves a payload from an attacker-controlled location, decrypts or unpacks it in memory, and then injects or launches it so the compromise can continue with reduced visibility.

In NHI and agentic environments, loaders matter because the same delivery pattern can be used to target service accounts, CI/CD agents, API keys, and other secrets that unlock downstream systems. The term is sometimes used loosely across incident reports, and definitions vary across vendors, but the operational meaning is consistent: the loader is the handoff mechanism between initial access and active execution. That makes it closely related to staging, shellcode loading, and process injection, but not identical to persistence or exfiltration. For broader governance context, the NIST Cybersecurity Framework 2.0 frames this as an outcome problem across detection and response, while NHIMG’s Ultimate Guide to NHIs shows how exposed non-human credentials can become the entry point for multi-stage compromise.

The most common misapplication is treating a loader as the final malware payload, which occurs when teams stop analysis after the first executable and miss the secondary stage.

Examples and Use Cases

Implementing loader detection rigorously often introduces more telemetry and tuning overhead, requiring organisations to weigh faster containment against the cost of deeper endpoint and identity visibility.

  • A phishing campaign delivers a small executable that decrypts a remote payload and starts a beacon process under a compromised service account.
  • A malicious script inside a build pipeline uses an exposed API key to download stage two malware from object storage.
  • An attacker abuses a CI runner token to inject shellcode into a legitimate process, reducing obvious on-disk artifacts.
  • A loader is dropped after initial access to harvest credentials in memory before moving laterally through NHI-enabled applications.
  • Security teams correlate process injection alerts with secret exposure findings from the Ultimate Guide to NHIs and stage-two network traffic patterns described in NIST Cybersecurity Framework 2.0.

In practice, loaders are a bridge between intrusion and action, so analysts look for the retrieval, unpacking, and launch sequence rather than only the first binary that appears on disk.

Why It Matters in NHI Security

Loaders are especially dangerous in NHI security because they help attackers turn a single stolen secret into a scalable compromise. Once a service account token, OAuth credential, or API key is used to execute a loader, the attacker can pivot into tooling that automates discovery, persistence, and exfiltration. NHIMG reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes loader activity a high-signal indicator of downstream identity abuse rather than a standalone malware event.

That matters for governance because loaders often bypass defenses that only inspect attachments or known file hashes. If a loader is launched from a CI/CD runner, container, or ephemeral agent, the real failure is usually poor secret handling, weak segmentation, or insufficient monitoring around machine identities. The NHI risk picture in the Ultimate Guide to NHIs shows why this becomes an operational issue quickly: 97% of NHIs carry excessive privileges, creating the conditions for loaders to move from initial execution into broader access.

Organisations typically encounter the full impact only after a second-stage payload starts using legitimate credentials, at which point loader analysis becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-06Loader abuse often begins with exposed NHI secrets and leads to second-stage execution.
NIST CSF 2.0DE.CMLoader activity is a detectable event that supports continuous monitoring.
NIST Zero Trust (SP 800-207)Loaders exploit trusted execution paths that Zero Trust is meant to constrain.
OWASP Agentic AI Top 10AI-05Agentic systems can be coerced into downloading or launching staged malware.
NIST AI RMFLoader chains increase AI system risk when autonomous components fetch code.

Assess downstream execution risk for any model or agent allowed to retrieve artifacts.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org