All news with #dll sideloading tag

🔒 Symantec researchers attribute a February 2026 cyber-espionage campaign to MuddyWater (Seedworm), which spent a week inside a major South Korean electronics manufacturer's network. The attackers relied on DLL sideloading of legitimate binaries — Fortemedia's fmapp.exe and SentinelOne's sentinelmemoryscanner.exe — to load malicious DLLs containing ChromElevator. They used PowerShell (now invoked via Node.js loaders) for reconnaissance, credential theft, persistence and SOCKS5 tunneling, and exfiltrated data via sendit.sh.

🔒 A fraudulent imitation of Anthropic's Claude hosted at claude-pro[.]com distributed a roughly 505 MB ZIP claiming to contain a "Claude-Pro Relay" tool, according to Sophos X-Ops. The MSI installer drops three items into the startup folder: a signed G DATA updater renamed NOVupdate.exe, an encrypted data file and a malicious avk.dll; when the updater runs it sideloads avk.dll, which decrypts shellcode and uses DonutLoader to load the Beagle backdoor. Sophos traced related samples to February–March 2026 and noted the campaign used Cloudflare for distribution while hosting C2 infrastructure on Alibaba Cloud.

⚠️ Johnson Controls' CEM AC2000 contains a DLL hijacking vulnerability (CVE-2026-21661) affecting versions 12.0, 11.0, and 10.6 that could allow a local, non‑privileged user to escalate privileges on the host. CISA assigns a CVSS v3.1 base score of 8.7 (High). The issue is not remotely exploitable and no public exploitation has been reported. Johnson Controls has released patched updates and recommends upgrading to the specified releases.

🔒 Two phishing campaigns are delivering Formbook infostealer to Windows devices using distinct stealth techniques. One abuses DLL sideloading via RAR attachments containing multiple DLLs and an EXE, while the other hides payloads in obfuscated JavaScript and PDF files that drop PowerShell commands and a custom loader. WatchGuard warns these methods leverage trusted processes to evade detection and urges monitoring of archive attachments, anomalous DLL loads and suspicious PowerShell activity.

🛡️Kaspersky and analysts observed unknown actors briefly compromise CPUID, swapping legitimate download links for trojanized installers of CPU‑Z and HWMonitor for under 24 hours. The malicious packages contained a signed executable alongside a malicious CRYPTBASE.dll that leveraged DLL side‑loading, performed anti‑sandbox checks and fetched additional payloads. The campaign deployed STX RAT, a feature‑rich RAT with HVNC and extensive infostealer and remote‑control capabilities, impacting individuals and organizations in multiple sectors.

🔍 Cisco Talos attributes a previously undocumented cluster, UAT-10362, to targeted spear‑phishing against Taiwanese NGOs and suspected universities, deploying a new Lua‑based stager named LucidRook. The actor uses RAR/7‑Zip lures and a dropper called LucidPawn, relying on repeated DLL side‑loading to execute payloads. LucidRook embeds an Lua 5.4.8 interpreter and Rust libraries to fetch and run encrypted Lua bytecode, while some variants use a reconnaissance DLL, LucidKnight, to profile targets before staging further activity.

🐼 Proofpoint researchers reported a renewed wave of cyber espionage by Chinese state-backed group TA416 against EU and NATO diplomatic missions from mid‑2025 into early 2026, later extending into the Middle East. The actor repeatedly changed its initial infection chains—abusing Cloudflare Turnstile challenge pages, leveraging Microsoft Entra ID redirects and using malicious C# project files—while persistently delivering a custom PlugX backdoor via DLL sideloading triads. Campaigns used freemail accounts, compromised diplomatic mailboxes and cloud storage (Azure Blob, Google Drive, SharePoint) to host malicious archives. Proofpoint links TA416 to the broader Mustang Panda cluster and documents use of re-registered domains, VPS providers and Cloudflare CDN to evade detection.

🛡️ Brazilian cybersecurity firm ZenoX disclosed a Rust-based banking trojan named VENON that targets Windows users and 33 financial and digital-asset platforms. The threat chain uses DLL side-loading and a PowerShell-delivered ZIP to drop a malicious DLL that performs nine evasion techniques (anti-sandbox checks, indirect syscalls, ETW and AMSI bypasses) before executing payloads. VENON fetches configuration from Google Cloud Storage, installs a scheduled task, and connects to a WebSocket C2 while employing banking overlays, active window monitoring, and an Itaú-specific LNK hijack implemented via embedded VBS; it also supports a remote uninstall to restore altered shortcuts. ZenoX noted the Rust code reflects knowledge of Latin American trojans and appears to have been rewritten or expanded with the aid of generative AI.

🔒 Microsoft Threat Intelligence attributes a mid‑January 2026 credential theft campaign to the cybercriminal group Storm‑2561, which used SEO poisoning to surface malicious ZIP files masquerading as legitimate enterprise VPN installers. The ZIPs contained an MSI that side‑loaded signed trojan DLLs (dwmapi.dll and inspector.dll) which harvested VPN credentials and exfiltrated configuration data to attacker infrastructure. The binaries were signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd. (now revoked), and the installers mimicked a Pulse Secure client to trick users; GitHub hosts were used but have been removed.

🔒 Multiple vendors and researchers this week disclosed a broad set of active threats spanning cloud environments, endpoints, and messaging platforms. OAuth consent abuse campaigns impersonated trusted apps to harvest tokens and access mail and files without passwords, while the BlackSanta campaign used resume-themed ISOs to chain DLL side‑loading and disable AV/EDR via vulnerable drivers. Other notable items include microcontroller debug bypasses, ZIP header evasion that defeats some AV/EDR tools, an AI-agent compromise of an internal platform, and targeted phishing against Signal and WhatsApp users.

📄 Researchers at Aryaka report a campaign distributing malicious resumés with ISO attachments to HR teams. When mounted, an included .lnk executes obfuscated PowerShell that extracts payloads from steganographic images and sideloads a DLL via a signed app. The malware includes a module called BlackSanta and leverages a BYOVD technique to disable EDR. Organizations should restrict resume formats and harden HR processes.

🚨 Cisco Talos discloses UAT-9244, a China‑nexus APT active since 2024 that has targeted South American telecommunications providers and deployed three implants: TernDoor, PeerTime, and BruteEntry. The actor compromises Windows and multi‑architecture Linux/embedded devices using DLL side‑loading, BitTorrent-based P2P C2, and large-scale brute‑forcing via converted edge devices. Talos provides IOCs, detection signatures, and mitigations to help defenders identify and disrupt this campaign.

🔒 Huntress researchers uncovered a campaign where attackers posed as IT support, using email spam and follow-up phone calls to coerce victims into granting remote access and visiting a counterfeit Microsoft page hosted on AWS. The fake site harvested credentials and prompted a download that executed a legitimate binary which sideloaded a malicious DLL to launch the Havoc Demon. The intrusions showed rapid lateral movement, scheduled-task persistence, and use of legitimate RMM tools as backup persistence.

🛡️ Acronis Threat Research Unit disclosed CRESCENTHARVEST, a campaign observed after January 9 that targets Farsi-speaking supporters of Iran's protests with a remote access trojan and information stealer. Attackers lure victims with protest-themed archives and double-extension .LNK shortcuts that run PowerShell to fetch a secondary ZIP while opening benign media. The payload sideloads DLLs via a Google-signed software_reporter_tool.exe, extracts Chrome app-bound keys, harvests browser and Telegram data, logs keystrokes, and communicates with a WinHTTP C2 at servicelog-information[.]com.

🔒 GE Vernova released updates for Enervista UR Setup to address two vulnerabilities. The installer is vulnerable to DLL hijacking (CVE-2026-1762), which could allow administrative code execution when run in directories containing untrusted DLLs. A second issue is a path traversal (CVE-2026-1763) that can overwrite files as the logged-in user. Users should update to version 8.70 or later.

⚠️ Siemens has published fixes for two local privilege escalation vulnerabilities affecting SINEC NMS and the User Management Component (UMC). A low-privileged user could modify configuration files to force the application to load malicious DLLs, potentially enabling arbitrary code execution with elevated (including SYSTEM) privileges. The issues are tracked as CVE-2026-25655 and CVE-2026-25656 (CWE-427) with a CVSS v3.1 base score of 7.8. Administrators should apply SINEC NMS V4.0 SP2 and UMC V2.15.2.1 or later as provided by Siemens ProductCERT.

🔍 Check Point Research identified a China-linked cluster named Amaranth-Dragon that conducted narrowly focused cyber espionage across Southeast Asia throughout 2025, primarily targeting government and law enforcement entities. Attacks exploited CVE-2025-8088 in WinRAR and used DLL side-loading to deploy an Amaranth Loader and the Havoc C2, while variants like TGAmaranth RAT leveraged a hard-coded Telegram bot. The operators limited exposure by geo-restricting Cloudflare-protected C2s and exhibited tooling and operational overlaps with the APT41 ecosystem.

🔐 A new espionage actor dubbed Amaranth Dragon, linked to APT41, has exploited the CVE-2025-8088 vulnerability in WinRAR to target government and law enforcement organizations across Southeast Asia. Attackers abused Windows Alternate Data Streams and delivered ZIP archives with .LNK and .BAT stagers to drop a loader, then used DLL sideloading of a digitally signed executable for persistence via the Startup folder and Registry Run keys. The custom Amaranth Loader retrieves AES-encrypted payloads from Cloudflare-hosted C2 servers geofenced to accept traffic only from targeted regions, frequently delivering the Havoc post-exploitation framework or a new TGAmaranth RAT that uses a Telegram bot for command-and-control. Check Point published IoCs and YARA rules; organizations are advised to update WinRAR to 7.13 or later (7.20 available).

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.

📩 ReliaQuest researchers uncovered a LinkedIn-based phishing campaign that delivers weaponized WinRAR self-extracting archives to targets. The archive extracts four components: a legitimate open-source PDF reader, a malicious DLL used for DLL sideloading, a portable Python interpreter PE, and a decoy RAR. When the PDF reader is run the rogue DLL is sideloaded, drops the Python interpreter, creates a Windows Run registry key, and executes Base64-encoded open-source shellcode in memory to deploy a remote access trojan. The campaign leverages social media DMs and legitimate tools to evade detection and maintain persistent access.