Tag: dll sideloading

44 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Hanoi Thief: Vietnam APT

A spear-phishing campaign dubbed 'Operation Hanoi Thief' is targeting Vietnamese IT professionals and recruitment teams. The attack uses a malicious ZIP file containing a fake resume and an LNK file. The LNK file executes a pseudo-polyglot payload, which deploys a C++ DLL implant called LOTUSHARVES…
vietnam
spear-phishing
information-stealer
dll-sideloading
2025-11-28
it-professionals
lotusharvest
browser-credentials
recruiters
Published: November 28, 2025
Downloadable IOCs: 6

A Closer Look at Outlook Macros and More

The analysis examines NotDoor, a backdoor utilizing Outlook macros for persistence and lateral movement. It stages files in C:\ProgramData, employing DLL sideloading with OneDrive.exe. The malware creates directories, executes encoded PowerShell commands, and modifies registry entries to enable mac…
backdoor
powershell
persistence
dll sideloading
c2
notdoor
2025-11-15
registry modification
outlook macros
Published: November 15, 2025
Downloadable IOCs: 0

Watch out for SVG files booby-trapped with malware

A recent malware campaign in Latin America demonstrates cybercriminals' evolving tactics. The attacks use social engineering, sending emails that appear to be from trusted institutions with urgent warnings about legal issues. The campaign's goal is to install AsyncRAT, a remote access trojan that a…
social engineering
asyncrat
dll sideloading
latin america
svg
colombia
2025-11-09
ai-generated templates
judicial system impersonation
Published: November 9, 2025
Downloadable IOCs: 0

China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy

Chinese threat actors continue to target U.S. organizations involved in policy issues. A recent intrusion into a non-profit organization active in influencing U.S. government policy on international matters occurred in April 2025. The attackers, likely Chinese-based, used various techniques to esta…
espionage
china
persistence
CVE-2021-44228
dll sideloading
apt41
CVE-2017-9805
2025-11-07
dcsync
CVE-2022-26134
CVE-2017-17562
deed rat
policy influence
domain controllers
space pirates
kelp
Published: November 7, 2025
Linked vulnerabilities : CVE-2021-44228, CVE-2022-26134, CVE-2017-9805, CVE-2017-17562
Downloadable IOCs: 7

Jewelbug: Chinese APT Group Widens Reach to Russia

A Chinese APT group named Jewelbug has expanded its operations to target organizations in South America, South Asia, Taiwan, and Russia. The group's recent intrusion into a Russian IT service provider lasted for five months in 2025, potentially aiming for a supply chain attack. Jewelbug has deploye…
dll sideloading
byovd
squidoor
2025-10-24
Published: October 24, 2025
Downloadable IOCs: 27

Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers

A new campaign is distributing the Oyster (Broomstick) backdoor through trojanized Microsoft Teams installers. Threat actors are using SEO poisoning and malvertising to trick users into downloading fake installers from spoofed websites. The malicious installers deploy a persistent backdoor that ena…
malvertising
seo poisoning
persistence
dll sideloading
microsoft teams
c2 communication
oyster
broomstick
2025-10-02
oyster backdoor
trojanized installer
Published: October 2, 2025
Downloadable IOCs: 15

Nimbus Manticore Deploys New Malware Targeting Europe

The Iranian threat actor Nimbus Manticore has expanded its operations, targeting defense, telecommunications, and aviation sectors in Western Europe. The group uses sophisticated spear-phishing techniques, impersonating HR recruiters to lure victims to fake career portals. Their toolset includes th…
obfuscation
apt
dll sideloading
telecommunications
spear-phishing
2025-09-22
Published: September 22, 2025
Downloadable IOCs: 81

Suspected APT-C-00 Delivers Havoc Trojan

A recent analysis of a suspicious trojan loader reveals similarities to the APT-C-00 (Ocean Lotus) group, a government-backed hacker organization targeting East Asian companies and government agencies. The sample, a DLL file with excellent evasion capabilities, uses hash algorithms to dynamically o…
apt
persistence
trojan
dll sideloading
process hollowing
east asia
2025-09-22
havoc rat
Published: September 22, 2025
Downloadable IOCs: 0

August 2025 Infostealer Trend Report

This analysis examines Infostealer trends in August 2025, focusing on distribution volume, methods, and disguises. AhnLab's automated systems collect and analyze malware, providing real-time IOC services. Infostealers, often disguised as cracks, are distributed through SEO poisoning. Notable varian…
lummac2
rhadamanthys
infostealer
seo poisoning
dll-sideloading
acrstealer
slack
2025-09-16
domain masquerading
Published: September 16, 2025
Downloadable IOCs: 0

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This sophisticated multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading. The core compone…
backdoor
apt
espionage
dll sideloading
keylogger
military
stowaway
fileless malware
2025-09-10
philippines
eggstremefuel
eggstremereflectiveloader
eggstreme
eggstremewizard
eggstremeloader
eggstremekeylogger
eggstremeagent
Published: September 10, 2025
Downloadable IOCs: 12

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

SOC files: an APT41 attack on government IT services in Africa

Kaspersky's MDR team detected a targeted attack by APT41 against government IT services in Africa. The attackers used Impacket tools, Cobalt Strike, and custom agents for lateral movement and data collection. They leveraged DLL sideloading techniques and publicly available tools like Mimikatz and R…
cobalt strike
government
dll sideloading
africa
credential harvesting
lateral movement
mimikatz
data exfiltration
web shell
sharepoint
targeted attack
2025-07-21
checkout
pillager
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Noodlophile Stealer Evolves: Targeted Copyright Phishing Hits Enterprises with Social Media Footprints

The Noodlophile Stealer, first detailed in our previous analysis (New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms), has evolved into a highly targeted threat exploiting enterprises with significant Facebook footprints.
python
persistence
dll sideloading
telegram
morphisec
facebook
noodlophile
2025-08-19
select
ai video
web data
new noodlophile
spear
Published: August 19, 2025
Downloadable IOCs: 28

Supply Chain Risk in Python: Termcolor and Colorama Explained

A suspicious Python package named termncolor was discovered, which imports a malicious dependency called colorinal. This multi-stage malware operation leverages DLL sideloading to decrypt payloads, establish persistence, and conduct command-and-control communication, ultimately leading to remote co…
supply-chain
python
persistence
pypi
dll-sideloading
2025-08-16
c2-communication
zulip
termncolor
colorinal
Published: August 16, 2025
Downloadable IOCs: 0

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction tec…
apt
ransomware
evasion
encryption
dll sideloading
aviation
middle east
network propagation
2025-08-12
charon
Published: August 12, 2025
Downloadable IOCs: 0

SLOW#TEMPEST Cobalt Strike Loader

An ISO image containing a malicious Cobalt Strike loader was discovered, targeting Chinese-speaking users. The infection chain involves a deceptive LNK file, which executes a legitimate Alibaba executable to sideload a malicious DLL. The loader implements anti-analysis techniques, decrypts an embed…
cobalt strike
anti-analysis
dll-sideloading
2025-08-07
beacon
entry-point-patching
chinese-targets
cobalt-strike
iso-image
Published: August 7, 2025
Downloadable IOCs: 9

Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics

This analysis explores the sophisticated tactics employed by LockBit ransomware attackers, focusing on DLL sideloading and masquerading techniques. These methods allow attackers to evade detection and maximize impact. DLL sideloading involves tricking legitimate applications into loading malicious …
ransomware
evasion
lockbit
persistence
encryption
dll sideloading
2025-08-01
masquerading
Published: August 1, 2025
Downloadable IOCs: 11

GOLD BLADE remote DLL sideloading attack deploys RedLoader

A new infection chain for GOLD BLADE's RedLoader malware has been identified, combining previously separate techniques. The attack begins with a malicious PDF link, leading to a ZIP archive containing a LNK file masquerading as a PDF. This file executes conhost.exe, which uses WebDAV to contact a C…
dll sideloading
webdav
redloader
2025-07-31
Published: July 31, 2025
Downloadable IOCs: 5

Illusory Wishes: China-nexus APT Targets the Tibetan Community

Two cyberattack campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community in June 2025, coinciding with the Dalai Lama's 90th birthday. These attacks involved strategic web compromises, DLL sideloading, and multi-stage infection chains to deploy Ghost RAT and Phant…
social engineering
dll sideloading
phantomnet
multi-stage attack
2025-07-23
ghost rat
web compromise
tibetan community
Published: July 23, 2025
Downloadable IOCs: 26

Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

In late 2024, a new variant of the SLOW#TEMPEST malware campaign was discovered, employing sophisticated obfuscation techniques. The malware is distributed as an ISO file containing multiple files, including a malicious loader DLL and a payload embedded in another DLL. The loader uses DLL side-load…
obfuscation
anti-analysis
emulation
dll sideloading
dll side-loading
anti-sandbox
2025-07-11
dynamic jumps
obfuscated function calls
slow#tempest
cfg obfuscation
2025-07-16
cfg
Published: July 16, 2025
Downloadable IOCs: 0

June 2025 Infostealer Trend Report

This analysis provides insights into Infostealer malware trends observed in June 2025. The data, collected through various automated systems, reveals changes in distribution methods and malware types. While LummaC2 has been dominant, June saw increased activity from Rhadamanthys, ACRStealer, Vidar,…
lummac2
rhadamanthys
infostealer
seo poisoning
vidar
stealc
dll-sideloading
2025-07-16
acrstealer
anti-analysis techniques
Published: July 16, 2025
Downloadable IOCs: 0

UNG0002 (Unknown Group 0002): Espionage Campaigns Uncovered

UNG0002, an espionage-focused threat group, has been conducting campaigns across Asian jurisdictions including China, Hong Kong, and Pakistan. The group employs sophisticated multi-stage attacks using LNK files, VBScript, and custom RAT implants. Their operations span two major campaigns: Operation…
social engineering
dll sideloading
clickfix
custom malware
2025-07-16
rat implants
blister dll implant
inet rat
multi-stage attacks
shadow rat
Published: July 16, 2025
Downloadable IOCs: 16

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

A cluster of suspicious activity, tracked as CL-STA-1020, has been targeting governmental entities in Southeast Asia since late 2024. The threat actors have developed a new Windows backdoor called HazyBeacon, which uses AWS Lambda URLs for command and control communication. This technique leverages…
dropbox
dll sideloading
google drive
2025-07-14
governmental entities
hazybeacon
Published: July 14, 2025
Downloadable IOCs: 7

Applications of Snake Keylogger in Geopolitics: Abuse of Trusted Java Utilities in Cybercriminal Activities

A new phishing campaign using Snake Keylogger, a Russian-origin stealer, has been discovered targeting various victims including corporations, governments, and individuals. The campaign uses spear-phishing emails offering petroleum products, with malicious attachments exploiting the legitimate jsad…
credential theft
dll sideloading
java
keylogger
geopolitical
maas
snake keylogger
spear-phishing
2025-07-06
petroleum
Published: July 6, 2025
Downloadable IOCs: 0

May 2025 Infostealer Trend Report

This analysis examines the distribution trends of Infostealer malware in May 2025. It highlights the use of SEO poisoning to distribute malware disguised as cracks and keygens. LummaC2, Vidar, StealC, Rhadamanthys, and Amadey were the main Infostealers observed. Distribution methods included posts …
lummac2
rhadamanthys
infostealer
seo poisoning
amadey
bat script
vidar
stealc
dll-sideloading
2025-06-18
keygens
wormhole
unicode passwords
cracks
Published: June 18, 2025
Downloadable IOCs: 3

Operation DRAGONCLONE: Chinese Telecom Targeted by Malware

A sophisticated campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The attack employs VELETRIX, a new loader, and VShell, a known adversary simulation tool. The infection chain begins with a malicious ZIP file containing executable and DLL files. VE…
cobalt strike
CVE-2024-1709
dll sideloading
supershell
china-nexus
vshell
CVE-2025-31324
unc5174
2025-06-06
2025-06-07
veletrix
earth lamia
asset lighthouse system
ipfuscation
callback-execution
dll-sideloading
Published: June 7, 2025
Downloadable IOCs: 0

Operation DRAGONCLONE: Chinese Telecom Targeted by Malware

A sophisticated campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The attack employs VELETRIX, a new loader, and VShell, a known adversary simulation tool. The infection chain begins with a malicious ZIP file containing executable and DLL files. VE…
cobalt strike
CVE-2024-1709
dll sideloading
supershell
china-nexus
vshell
CVE-2025-31324
unc5174
2025-06-06
2025-06-07
veletrix
earth lamia
asset lighthouse system
ipfuscation
callback-execution
dll-sideloading
Published: June 7, 2025
Downloadable IOCs: 0

Custom Arsenal Developed to Target Multiple Industries

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and Bypass…
backdoor
apt
sql injection
cobalt strike
dll sideloading
vulnerability exploitation
brute ratel
multi-industry targeting
CVE-2024-9047
CVE-2024-51378
CVE-2024-51567
china-nexus
CVE-2024-56145
vshell
CVE-2025-31324
2025-05-27
CVE-2021-22205
CVE-2024-27199
CVE-2024-27198
CVE-2017-9805
pulsepack
bypassboss
custom tools
Published: May 27, 2025
Linked vulnerabilities : CVE-2024-9047 (CVSS 9.8), CVE-2024-51378 (CVSS 10.0), CVE-2024-51567 (CVSS 10.0), CVE-2024-56145, CVE-2025-31324 (CVSS 10.0), CVE-2017-9805, CVE-2024-27199, CVE-2024-27198, CVE-2021-22205
Downloadable IOCs: 185

Targeting Taiwan & Japan with DLL Implants

A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads.…
apt
cobalt strike
dll sideloading
taiwan
multi-stage attack
japan
2025-05-12
google drive
isurus
pterois
dll implants
Published: May 12, 2025
Downloadable IOCs: 16

Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'

The Nitrogen ransomware group has expanded its operations from North America to Africa and Europe since September 2024. They utilize malvertising tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs DLL sideloading for initial access, followed by Cobalt Strik…
ransomware
malvertising
cobalt strike
dll sideloading
lateral movement
nitrogen
2025-05-02
nitrogenloader
Published: May 2, 2025
Downloadable IOCs: 2

Finding Minhook in a sideloading attack – and Sweden too

A threat actor campaign targeting multiple locations was observed in late 2023 and early 2024. Initially focused on the Far East, it later shifted to Sweden. The attacks used DLL sideloading techniques, employing the Minhook library to detour Windows API calls. The clean loader was obtained from in…
cobalt strike
dll sideloading
api hooking
2025-05-01
minhook
digital signature
Published: May 1, 2025
Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…
phishing
powershell
ukraine
remcos
dll sideloading
lnk files
2025-03-28
gthost
hyperhosting
Published: March 28, 2025
Downloadable IOCs: 0

Stealers and backdoors are spreading under the guise of a DeepSeek client

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data …
backdoor
social engineering
typosquatting
powershell
stealer
dll sideloading
farfli
deepseek
2025-03-06
Published: March 6, 2025
Downloadable IOCs: 9

Operation SalmonSlalom

A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as nativ…
dll sideloading
gh0st rat
moudoor
mydoor
2025-02-26
fatalrat
zegost
simayrat
Published: February 26, 2025
Downloadable IOCs: 160

Stately Taurus Activity in Southeast Asia Links to Bookworm Malware

Unit 42 researchers have discovered connections between Stately Taurus, a threat actor targeting ASEAN countries, and the Bookworm malware family. Analysis of infrastructure and code overlaps revealed links between recent Stately Taurus attacks and Bookworm samples dating back to 2015. The group ha…
dll sideloading
toneshell
pubload
modular malware
southeast asia
2025-02-20
asean
infrastructure overlap
bookworm
Published: February 20, 2025
Downloadable IOCs: 0

Python-Based NodeStealer Version Targets Facebook Ads Manager

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook …
python
infostealer
dll sideloading
data exfiltration
telegram
spear-phishing
2024-12-19
nodestealer
facebook ads manager
Published: December 19, 2024
Downloadable IOCs: 5

Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads

The FLUX#CONSOLE campaign involves a sophisticated tax-themed phishing attack that exploits Microsoft Management Console (MSC) files to deliver a stealthy backdoor payload. Threat actors use tax-related lures to trick users into executing malicious code. The attack leverages MSC files, which are no…
javascript
dll sideloading
lnk files
2024-12-18
dismcore.dll
xmlhttp
Published: December 18, 2024
Downloadable IOCs: 5

Threat Actor Targets Manufacturing Industry With Malware

A sophisticated cyberattack campaign targeting the manufacturing industry has been identified, utilizing a deceptive LNK file disguised as a PDF document. The attack leverages multiple Living-off-the-Land Binaries and Google Accelerated Mobile Pages to evade detection. The threat actor employs vari…
powershell
lumma stealer
dll sideloading
lnk file
process injection
manufacturing
code injection
2024-12-05
amadey bot
amp url
Published: December 5, 2024
Downloadable IOCs: 0

RobotDropper Automates the Delivery of Multiple Infostealers

A phishing campaign is distributing Trojanized MSI files that use DLL sideloading to execute LegionLoader, a malicious program that delivers multiple infostealers. The campaign is widespread, with over 400 unique malicious MSI files identified since June 2024. Victims are targeted globally through …
phishing
infostealer
dll sideloading
2024-11-26
legionloader
robotdropper
Published: November 26, 2024
Downloadable IOCs: 5

HijackLoader evolution: abusing genuine signing certificates

A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
loader
powershell
lumma stealer
infection chain
dll sideloading
hijackloader
installer
path
samples
lumma
2024-10-15
zip archive
sha256
fake captcha
harfanglab edr
hider
gate
Published: October 15, 2024
Downloadable IOCs: 69

Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The ma…
phishing
dll sideloading
gh0st rat
2024-09-05
toneshell
pif file
Published: September 5, 2024
Downloadable IOCs: 4

Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant

A variant of WikiLoader loader for rent, also known as WailingCrab, is being delivered via SEO poisoning and spoofing of GlobalProtect VPN software. The campaign primarily affects U.S. higher education and transportation sectors. The infection chain involves multiple stages, including DLL sideloadi…
globalprotect
seo poisoning
dll sideloading
2024-09-02
wikiloader
wailingcrab
loader-for-rent
Published: September 2, 2024
Downloadable IOCs: 46

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and …
rat
phishing
spyware
dll sideloading
cloudsorcerer
2024-08-14
plugy
grewapacha
Published: August 14, 2024
Downloadable IOCs: 5

GoTo Meeting loads RAT via Shellcode Loader

A malicious campaign has been discovered that exploits the legitimate GoTo Meeting online conferencing software to deploy the Remcos remote access trojan (RAT). The attack chain involves utilizing lures like porn downloads, software setup files, and tax forms with Russian and English file names. It…
rat
remcos
2024-05-08
dll sideloading
shellcode
rust
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 17
Click here to see more Attack Reports