Finding Minhook in a sideloading attack – and Sweden too

Description

A threat actor campaign targeting multiple locations was observed in late 2023 and early 2024. Initially focused on the Far East, it later shifted to Sweden. The attacks used DLL sideloading techniques, employing the Minhook library to detour Windows API calls. The clean loader was obtained from infected systems rather than being part of the sideloading package. Components were signed with a compromised digital signature. The final payload was Cobalt Strike. Three sideloading scenarios were identified: MiracastView, PrintDialog, and SystemSettings. The Swedish connection revealed an installer with components from previous scenarios and the use of an expired digital signature from a Korean game developer.