New APT-Q-27 sample spotted

June 17, 2026, 9:20 a.m.

Description

A new campaign has been identified utilizing a valid digital signature from a Chinese technology company that remains unrevoked. The attack chain employs a dropper that retrieves an extension-based module list from command and control infrastructure. The malicious payloads exploit DLL Side-Loading techniques through a legitimate Tencent-signed executable to achieve code execution. The infrastructure includes Google Cloud Storage and a dedicated domain for command and control operations. Multiple components have been identified including an EXE dropper, DLL loader, DAT payload, and the legitimate Tencent executable used for side-loading purposes.

External References

https://otx.alienvault.com/pulse/6a325eca53b232c21f5b84ff
https://x.com/askardyuss/status/2066859258130665974
Tags
dropper
tencent
dll side-loading
chinese threat actor
2026-06-17
apt-q-27
digital signature abuse

Date

  • Created: June 17, 2026, 8:46 a.m.
  • Published: June 17, 2026, 8:46 a.m.
  • Modified: June 17, 2026, 9:20 a.m.

Indicators

  • http://api.keensie.com:5198/
Download all indicators here!

Attack Patterns

  • APT-Q-27

Additional Informations

  • api.keensie.com