< ciso
brief />
Tag Banner

All news with #dll sideloading tag

52 articles

Dual‑RAT phishing targets India tax filers this season

🛡️ Researchers at Cyderes uncovered a phishing campaign impersonating the Indian Tax Department that delivers two remote access trojans via a multi-stage infection chain. Victims receive fake tax assessment emails that prompt them to download a seemingly legitimate ITR utility, which abuses signed Windows binaries to sideload malicious DLLs and perform in-memory execution and process injection. The campaign deploys a Gh0st RAT derivative and a .NET implant related to the QuasarRAT/AsyncRAT family, each communicating with separate C2 servers, providing redundant access even if one implant is blocked.
read more →

Suspected China-Nexus Campaign Targets Indian Taxpayers

🛡️ Seqrite Labs uncovered a targeted multi-stage phishing operation, dubbed Operation DragonReturn, impersonating India's Income Tax Department to deliver a remote access trojan. First observed on May 18, 2026, the campaign uses carefully crafted bilingual lures, malicious PDF attachments, and a ZIP-based DLL side-loading chain to install persistence and exfiltrate sensitive financial and credential data. The activity shows links to China-hosted infrastructure and overlaps with known tax-themed threat groups.
read more →

Mustang Panda uses cloud service for stealth C2

🛡️ A China-aligned espionage group, Mustang Panda, has run two campaigns targeting Indian government and hydropower-related networks, using new malware and abusing Zoho WorkDrive as a covert command-and-control channel. Acronis Threat Research Unit found active compromises affecting senior administrative systems, worked with CERT-In for remediation, and detailed three tools: SHARDLOADER, MINIRECON, and ZOHOMURK. The intrusions leveraged DLL sideloading via signed binaries and spear-phishing lures themed to hydropower and bilateral memoranda, with beaconing recorded from June 12–22, 2026.
read more →

Mistic backdoor linked to KongTuke access broker

🛡️ Broadcom, Symantec, and Carbon Black report a stealthy backdoor named Mistic (aka MLTBackdoor) deployed since April 2026 across insurance, education, IT, and professional services. The implant runs in memory via DLL side-loading of trusted tooling, includes a kill switch, and was dropped alongside ModeloRAT, a Python RAT tied to the KongTuke access broker. Analysts say the activity appears opportunistic and linked to ClickFix delivery chains and ransomware-related actors.
read more →

Mistic backdoor tied to initial access broker activity

🔍 Researchers have uncovered a backdoor named Mistic used in enterprise intrusions since April, linked to an initial access broker that sells footholds to ransomware gangs. The Windows DLL-sideloading malware executes in memory, reaches out to C2 servers, and can move, delete, and transfer files while also enabling credential theft. Symantec observed Mistic alongside ModeloRAT and social engineering chains using fake CAPTCHAs and malicious paste-and-run guidance.
read more →

ClickFix campaigns expand modular malware delivery

🛡️ Multiple ClickFix campaigns have been linked to three distinct loaders — BabaDeda Loader, Lorem Ipsum Loader, and Potemkin — delivering information stealers, backdoors, RATs, and other payloads against diverse sectors. The attacks rely on social-engineered ClickFix lures that trick victims into running PowerShell or command sequences, then use staged techniques such as hidden PowerShell, DLL side-loading, in-memory shellcode, and external payload storage to evade detection. Researchers from Morphisec, BlueVoyant, and Huntress attribute the campaigns to evolving, modular loader frameworks that separate delivery, storage, execution, and payload deployment for greater stealth.
read more →

Grandoreiro and BTMOB campaigns target Latin Europe

🛡️ WatchGuard and ESET report two active campaigns spreading Windows and Android banking trojans across Latin America and Europe. The Grandoreiro campaign leverages DLL side-loading, WebRTC/STUN/ICE communications, and phishing to target Portuguese banks and international financial services. ESET details BTMOB, a rapidly evolving Android RAT sold as a service with an APK builder that enables mass phishing-based distribution and remote device control.
read more →

Microsoft warns of AI‑assisted cryptojacking campaign

🛡️ Microsoft warns of an active cryptojacking campaign that leverages AI chatbot interactions to surface malicious download sites. The attacks impersonate legitimate utilities and target high-performance GPU systems, using ZIP archives with sideloaded rogue DLLs to install ScreenConnect and deliver GPU miners. The campaign establishes persistent remote access, configures Defender exclusions, and supports multiple miners while evading analysis tools.
read more →

Iranian Hackers Target Major South Korean Electronics Maker

🔒 Symantec researchers attribute a February 2026 cyber-espionage campaign to MuddyWater (Seedworm), which spent a week inside a major South Korean electronics manufacturer's network. The attackers relied on DLL sideloading of legitimate binaries — Fortemedia's fmapp.exe and SentinelOne's sentinelmemoryscanner.exe — to load malicious DLLs containing ChromElevator. They used PowerShell (now invoked via Node.js loaders) for reconnaissance, credential theft, persistence and SOCKS5 tunneling, and exfiltrated data via sendit.sh.
read more →

Fake Claude Site Distributes Beagle Backdoor to Windows

🔒 A fraudulent imitation of Anthropic's Claude hosted at claude-pro[.]com distributed a roughly 505 MB ZIP claiming to contain a "Claude-Pro Relay" tool, according to Sophos X-Ops. The MSI installer drops three items into the startup folder: a signed G DATA updater renamed NOVupdate.exe, an encrypted data file and a malicious avk.dll; when the updater runs it sideloads avk.dll, which decrypts shellcode and uses DonutLoader to load the Beagle backdoor. Sophos traced related samples to February–March 2026 and noted the campaign used Cloudflare for distribution while hosting C2 infrastructure on Alibaba Cloud.
read more →

Johnson Controls AC2000 DLL Hijacking Vulnerability

⚠️ Johnson Controls' CEM AC2000 contains a DLL hijacking vulnerability (CVE-2026-21661) affecting versions 12.0, 11.0, and 10.6 that could allow a local, non‑privileged user to escalate privileges on the host. CISA assigns a CVSS v3.1 base score of 8.7 (High). The issue is not remotely exploitable and no public exploitation has been reported. Johnson Controls has released patched updates and recommends upgrading to the specified releases.
read more →

Formbook Campaigns Use DLL Sideloading and JS Obfuscation

🔒 Two phishing campaigns are delivering Formbook infostealer to Windows devices using distinct stealth techniques. One abuses DLL sideloading via RAR attachments containing multiple DLLs and an EXE, while the other hides payloads in obfuscated JavaScript and PDF files that drop PowerShell commands and a custom loader. WatchGuard warns these methods leverage trusted processes to evade detection and urges monitoring of archive attachments, anomalous DLL loads and suspicious PowerShell activity.
read more →

CPUID Site Briefly Served STX RAT via Trojanized Tools

🛡️Kaspersky and analysts observed unknown actors briefly compromise CPUID, swapping legitimate download links for trojanized installers of CPU‑Z and HWMonitor for under 24 hours. The malicious packages contained a signed executable alongside a malicious CRYPTBASE.dll that leveraged DLL side‑loading, performed anti‑sandbox checks and fetched additional payloads. The campaign deployed STX RAT, a feature‑rich RAT with HVNC and extensive infostealer and remote‑control capabilities, impacting individuals and organizations in multiple sectors.
read more →

UAT-10362 Deploys Lua-Based LucidRook Against Taiwan NGOs

🔍 Cisco Talos attributes a previously undocumented cluster, UAT-10362, to targeted spear‑phishing against Taiwanese NGOs and suspected universities, deploying a new Lua‑based stager named LucidRook. The actor uses RAR/7‑Zip lures and a dropper called LucidPawn, relying on repeated DLL side‑loading to execute payloads. LucidRook embeds an Lua 5.4.8 interpreter and Rust libraries to fetch and run encrypted Lua bytecode, while some variants use a reconnaissance DLL, LucidKnight, to profile targets before staging further activity.
read more →

Chinese APT TA416 Resurges, Targeting European Governments

🐼 Proofpoint researchers reported a renewed wave of cyber espionage by Chinese state-backed group TA416 against EU and NATO diplomatic missions from mid‑2025 into early 2026, later extending into the Middle East. The actor repeatedly changed its initial infection chains—abusing Cloudflare Turnstile challenge pages, leveraging Microsoft Entra ID redirects and using malicious C# project files—while persistently delivering a custom PlugX backdoor via DLL sideloading triads. Campaigns used freemail accounts, compromised diplomatic mailboxes and cloud storage (Azure Blob, Google Drive, SharePoint) to host malicious archives. Proofpoint links TA416 to the broader Mustang Panda cluster and documents use of re-registered domains, VPS providers and Cloudflare CDN to evade detection.
read more →

Rust-based VENON banking malware targets 33 banks in Brazil

🛡️ Brazilian cybersecurity firm ZenoX disclosed a Rust-based banking trojan named VENON that targets Windows users and 33 financial and digital-asset platforms. The threat chain uses DLL side-loading and a PowerShell-delivered ZIP to drop a malicious DLL that performs nine evasion techniques (anti-sandbox checks, indirect syscalls, ETW and AMSI bypasses) before executing payloads. VENON fetches configuration from Google Cloud Storage, installs a scheduled task, and connects to a WebSocket C2 while employing banking overlays, active window monitoring, and an Itaú-specific LNK hijack implemented via embedded VBS; it also supports a remote uninstall to restore altered shortcuts. ZenoX noted the Rust code reflects knowledge of Latin American trojans and appears to have been rewritten or expanded with the aid of generative AI.
read more →

Storm-2561 SEO poisoning distributes fake VPN clients

🔒 Microsoft Threat Intelligence attributes a mid‑January 2026 credential theft campaign to the cybercriminal group Storm‑2561, which used SEO poisoning to surface malicious ZIP files masquerading as legitimate enterprise VPN installers. The ZIPs contained an MSI that side‑loaded signed trojan DLLs (dwmapi.dll and inspector.dll) which harvested VPN credentials and exfiltrated configuration data to attacker infrastructure. The binaries were signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd. (now revoked), and the installers mimicked a Pulse Secure client to trick users; GitHub hosts were used but have been removed.
read more →

ThreatsDay: OAuth Consent Abuse, EDR Bypass & More

🔒 Multiple vendors and researchers this week disclosed a broad set of active threats spanning cloud environments, endpoints, and messaging platforms. OAuth consent abuse campaigns impersonated trusted apps to harvest tokens and access mail and files without passwords, while the BlackSanta campaign used resume-themed ISOs to chain DLL side‑loading and disable AV/EDR via vulnerable drivers. Other notable items include microcontroller debug bypasses, ZIP header evasion that defeats some AV/EDR tools, an AI-agent compromise of an internal platform, and targeted phishing against Signal and WhatsApp users.
read more →

Resumes with Malicious ISO Attachments Target HR Teams

📄 Researchers at Aryaka report a campaign distributing malicious resumés with ISO attachments to HR teams. When mounted, an included .lnk executes obfuscated PowerShell that extracts payloads from steganographic images and sideloads a DLL via a signed app. The malware includes a module called BlackSanta and leverages a BYOVD technique to disable EDR. Organizations should restrict resume formats and harden HR processes.
read more →

UAT-9244 Targets South American Telecommunication Providers

🚨 Cisco Talos discloses UAT-9244, a China‑nexus APT active since 2024 that has targeted South American telecommunications providers and deployed three implants: TernDoor, PeerTime, and BruteEntry. The actor compromises Windows and multi‑architecture Linux/embedded devices using DLL side‑loading, BitTorrent-based P2P C2, and large-scale brute‑forcing via converted edge devices. Talos provides IOCs, detection signatures, and mitigations to help defenders identify and disrupt this campaign.
read more →