This chapter starts off by analysing first-stage malware loaders that take the form of malicious macro-embedded documents & documents that exploit a vulnerability within Equation Editor, before reverse engineering the IcedID and ZLoader second-stage loaders - enough to be able to develop a configuration extractor and a basic protocol emulator.