SLOW#TEMPEST Cobalt Strike Loader

Aug. 7, 2025, 11:08 a.m.

Description

An ISO image containing a malicious Cobalt Strike loader was discovered, targeting Chinese-speaking users. The infection chain involves a deceptive LNK file, which executes a legitimate Alibaba executable to sideload a malicious DLL. The loader implements anti-analysis techniques, decrypts an embedded payload, and injects a Cobalt Strike beacon. The beacon is configured to mimic Bilibili traffic and communicates with a specific C2 server. The loader also patches the entry point of the loading executable with an infinite loop. This activity shares similarities with previously reported SLOW#TEMPEST campaigns, including targeting, folder structures, and the use of DLL sideloading for Cobalt Strike beacons.

External References

https://dmpdump.github.io/posts/CobaltStrike_HK/
https://otx.alienvault.com/pulse/689481454699dbb15f211f88
Tags
cobalt strike
anti-analysis
dll-sideloading
2025-08-07
beacon
entry-point-patching
chinese-targets
cobalt-strike
iso-image

Date

  • Created: Aug. 7, 2025, 10:34 a.m.
  • Published: Aug. 7, 2025, 10:34 a.m.
  • Modified: Aug. 7, 2025, 11:08 a.m.

Indicators

  • f4bb263eb03240c1d779a00e1e39d3374c93d909d358691ca5386387d06be472
  • c28bd1a57e80861fce2597b1f5155a687bef434b0001632c8a53243718f5f287
  • a41c06ad948f3a21496e4d1f6b622ca84a365dd2087b710ed3e7f057e7a2a3f8
  • 6573136f9b804ddc637f6be3a4536ed0013da7a5592b2f3a3cd37c0c71926365
  • 5efbd54a3a51d96fbc8e65815df2f0d95af21a34b99b8dc9a38590fb6d2094f8
  • 50fbe429848e16f08a6dbf6ce6d5bbff44db1e009f560e8b8c4cde6cff0a768b
  • 28030e8cf4c9c39665a0552e82da86781b00f099e240db83f1d1a3ae0e990ab6
  • 1cb0560f614cc850422171ffe6b0b9f6b9ceaec4fe3516bc8493f253076470ab
  • m.123huodong.com.cloud.cdntip.com.s2-web.dogedns.com
Download all indicators here!

Attack Patterns

  • Cobalt Strike - S0154
  • SLOW#TEMPEST

Additional Informations

  • Finance
  • Hong Kong
  • China