Tag: dll side-loading

19 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks

The 'Artemis' campaign, conducted by APT37, utilizes malicious HWP documents with embedded OLE objects to initiate attacks. The threat actor impersonates legitimate entities to gain trust before delivering the payload. The attack chain combines HWP execution with DLL side-loading techniques to evad…
rokrat
south korea
steganography
dll side-loading
spear-phishing
ole
hwp
cloud infrastructure
2025-12-22
Published: December 22, 2025
Downloadable IOCs: 0

Evasive SideWinder APT Campaign Detected

A sophisticated espionage campaign targeting Indian entities has been identified, masquerading as the Income Tax Department of India. The activity is associated with the SideWinder APT group, which has evolved its toolkit to evade detection by mimicking Chinese enterprise software. The campaign use…
apt
phishing
india
dll side-loading
geofencing
cloud storage
2025-12-20
income tax department
mpgear.dll
mysetup.exe
url shorteners
Published: December 20, 2025
Downloadable IOCs: 5

ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, i…
social engineering
data theft
valleyrat
dll side-loading
remote access trojan
job seekers
2025-12-03
foxit pdf reader
Published: December 3, 2025
Downloadable IOCs: 25

Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

This report details two interconnected malware campaigns targeting Chinese-speaking users in 2025, using large-scale brand impersonation to deliver Gh0st RAT variants. The first campaign, active from February to March, mimicked three brands across over 2,000 domains. The second campaign, starting i…
gh0st rat
dll side-loading
brand impersonation
chinese-speaking targets
multi-stage infection
cloud infrastructure
2025-11-15
domain generation
Published: November 15, 2025
Downloadable IOCs: 0

UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities

Chinese-affiliated threat actor UNC6384 is conducting a cyber espionage campaign targeting European diplomatic entities, particularly in Hungary and Belgium. The group exploits the ZDI-CAN-25373 Windows vulnerability to deliver PlugX malware through spearphishing emails with malicious LNK files. Th…
spearphishing
plugx
dll side-loading
canonstager
2025-10-31
diplomatic targeting
zdi-can-25373
Published: October 31, 2025
Downloadable IOCs: 26

Analyzing NotDoor: Inside APT28's Expanding Arsenal

LAB52 has identified a new backdoor called NotDoor, attributed to APT28, a Russian intelligence-linked threat group. NotDoor is a VBA macro for Outlook that monitors incoming emails for specific trigger words, enabling data exfiltration, file uploads, and command execution on victim computers. The …
backdoor
obfuscation
exfiltration
persistence
nato
dll side-loading
outlook
vba macro
2025-09-03
notdoor
Published: September 3, 2025
Downloadable IOCs: 2

Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

The Arctic Wolf Labs team has uncovered a new cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors. The attack leverages a five-stage execution chain delivered via malicious LNK files disguised as conference invitations. It uses legitimate binaries like …
apt
powershell
shellcode
dll side-loading
cyber-espionage
turkey
defense industry
2025-07-23
vlc player
dropping elephant rat
Published: July 23, 2025
Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3), CVE-2025-20337 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8)
Downloadable IOCs: 10

DeedRAT Backdoor Enhanced with Advanced Capabilities

Chinese threat actors have launched a new phishing campaign using DeedRAT, a modular backdoor. The campaign exploits a DLL side-loading vulnerability in VIPRE Antivirus Premium's MambaSafeModeUI.exe. DeedRAT now includes a new NetAgent module, expanding its capabilities. The malware uses TCP for C2…
backdoor
obfuscation
phishing
persistence
dll side-loading
2025-07-21
antivirus exploitation
deedrat
netagent
Published: July 21, 2025
Downloadable IOCs: 4

NailaoLocker Ransomware's 'Cheese'

NailaoLocker, a new ransomware variant targeting Windows systems, uses AES-256-CBC encryption and uniquely incorporates SM2 cryptography with hard-coded keys. It employs DLL side-loading for execution and uses I/O Completion Ports for multi-threaded file processing. The ransomware includes both enc…
ransomware
windows
dll side-loading
nailaolocker
2025-07-21
aes-256-cbc
sm2 cryptography
multi-threaded
Published: July 21, 2025
Downloadable IOCs: 3

Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

In late 2024, a new variant of the SLOW#TEMPEST malware campaign was discovered, employing sophisticated obfuscation techniques. The malware is distributed as an ISO file containing multiple files, including a malicious loader DLL and a payload embedded in another DLL. The loader uses DLL side-load…
obfuscation
anti-analysis
emulation
dll sideloading
dll side-loading
anti-sandbox
2025-07-11
dynamic jumps
obfuscated function calls
slow#tempest
cfg obfuscation
2025-07-16
cfg
Published: July 16, 2025
Downloadable IOCs: 0

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customize…
apt
rat
phishing
dll side-loading
multi-platform
msi
spark rat
2025-04-08
xeno rat
curlback rat
Published: April 8, 2025
Downloadable IOCs: 28

The Espionage Toolkit: A Closer Look at its Advanced Techniques

Earth Alux, a China-linked APT group, is actively conducting cyberespionage attacks against key sectors in the APAC and Latin American regions. The group exploits vulnerable services in exposed servers to gain initial access and deploys web shells like GODZILLA. Their primary backdoor, VARGEIT, is …
apt
cyberespionage
godzilla
dll side-loading
latin america
2025-03-31
apac
vargeit
railsetter
masqloader
rsbinject
railload
cobeacon
Published: March 31, 2025
Downloadable IOCs: 0

Legacy Driver Exploitation Through Bypassing Certificate Verification

A new security threat using the Legacy Driver Exploitation technique has been identified, focusing on remote system control via Gh0stRAT malware. The attack distributes malware through phishing and messaging apps, utilizing DLL side-loading for additional payloads. A modified TrueSight.sys driver b…
gh0strat
dll side-loading
avkiller
2025-03-18
padding manipulation
legacy driver exploitation
CVE-2013-3900
certificate verification
driver vulnerability
truesight.sys
Published: March 18, 2025
Downloadable IOCs: 3

Python Bot Delivered Through DLL Side-Loading

A sophisticated malware campaign employs DLL side-loading to deliver a Python bot. The attack begins with a ZIP archive containing a legitimate PDF reader executable and a hidden malicious DLL. When executed, the malicious DLL is loaded instead of the intended Microsoft one, altering the PDF reader…
persistence
dll side-loading
evasion techniques
bitbucket
2025-03-18
code obfuscation
pdf reader
python bot
Published: March 18, 2025
Downloadable IOCs: 0

Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques

ValleyRAT, a sophisticated multi-stage malware attributed to Silver Fox APT, has updated its tactics, techniques, and procedures. The malware targets key roles in finance, accounting, and sales departments using phishing emails, malicious websites, and instant messaging platforms. The infection cha…
phishing
persistence
valleyrat
keylogger
dll side-loading
c2 communication
anti-vm
2025-02-05
ghostrat
silver fox apt
Published: February 5, 2025
Downloadable IOCs: 12

Iranian Dream Job campaign

An Iranian campaign targeting the aerospace industry has been uncovered, distributing SnailResin malware through a 'dream job' scheme. Attributed to TA455, a subgroup of Charming Kitten, the campaign uses social engineering tactics on LinkedIn, impersonating recruiters to lure victims. The attack e…
evasion
iran
aerospace
dll side-loading
2024-11-12
linkedin
slugresin
dream job
charming kitten
snailresin
apt35
Published: November 12, 2024
Downloadable IOCs: 26

WINELOADER Analysis

APT29, also known as Cozy Bear, has targeted European diplomats using a sophisticated multi-stage attack chain involving a new modular backdoor called WINELOADER. The attack begins with a fake PDF invitation to a wine-tasting event, which leads to the download of a malicious HTA file. This file the…
backdoor
wineloader
evasion
modular
diplomats
dll side-loading
apt29
cozy bear
2024-11-07
dll hollowing
Published: November 7, 2024
Downloadable IOCs: 0

New Trend in MSI File Abuse: New Use of MST Files to Deliver Tromas

The New OceanLotus group has reactivated after a year, employing a novel tactic of MSI file misuse. This APT campaign, targeting a domestic governmental enterprise, marks the first observed use of the MSI TRANSFORMS technique by an APT group. The attack utilizes a legitimate Microsoft installation …
shellcode
dll side-loading
spear-phishing
2024-11-06
rust trojan
governmental targets
tromas
mst files
apt-q-31
msi abuse
Published: November 6, 2024
Downloadable IOCs: 0

Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders

A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
backdoor
apt
cobalt strike
persistence
steganography
vietnam
2024-09-03
dll side-loading
com hijacking
human rights
Published: September 3, 2024
Downloadable IOCs: 46
Click here to see more Attack Reports