A new malware called Pronsis Loader has been discovered, with similarities to D3F@ck Loader. Both use JPHP-compiled executables, but Pronsis uses NSIS for installation instead of Inno Setup. Pronsis Loader typically delivers Lumma Stealer and Latrodectus payloads. It employs defense evasion techniques like excluding user directories from Windows Defender scans. The malware establishes persistence through scheduled tasks. Infrastructure analysis revealed multiple IP addresses and open directories used to host malicious files, particularly Lumma Stealer variants. This discovery highlights the evolving nature of malware threats and the need for continued vigilance in cybersecurity practices.