Trend Micro researchers recently encountered a fairly sophisticated malware framework that they named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. During the analysis, Trend Micro discovered that NetDooka was being spread via the PrivateLoader malware which, once installed, starts the whole infection chain.
As previously described by Intel471, the PrivateLoader malware is a downloader responsible for downloading and installing multiple malware into the infected system as part of the PPI service. Due to the way the PPI service works, the exact payloads that would be installed might differ depending on the malware version. Some of the known malware families that are reportedly being distributed via PPI services include SmokeLoader, RedLine, and Anubis.
Source: Trend Micro