Another PowerShell downloader named sLoad is making the rounds, containing great observation strategies and a propensity for geofencing, which demonstrate expanding modernity with regards to focusing on endeavors. Discovered in May 2018, sLoad regularly conveys the Ramnit banking trojan (which has been seen collecting Gootkit, DarkVNC, Ursnif, and PsiXBot too). The remarkable perspective is the lengths to which it will go to find out about an objective before conveying its payload. As indicated by a Proofpoint investigation, the malware accumulates data about the tainted framework, including a rundown of running procedures, the nearness of Outlook, and the nearness of Citrix-related records. It will likewise take screen captures of the objective machine. This specific loader has been attached to the threat actor TA554 whom analysts said: “TA554 frequently uses package delivery or order notification lures; the emails contain URLs linking to zipped LNK files or zipped documents.” Attackers employ geofencing, confining access to the content dependent on the client’s area, which is decided by means of the source IP address, including the download of the dropper, the PowerShell download of sLoad, sLoad’s correspondences with its order and-control (C2) server, and when it gets an undertaking or direction. sLoad will then browse history to see if the victim has visited targeted institutions. Using their hardcoded keywords and hostnames, matches are noticed and are sent to the C2.