< ciso
brief />
Tag Banner

All news with #dll sideloading tag

52 articles · page 2 of 3

Fake IT Support Spam Delivers Havoc C2 via DLL Sideloader

🔒 Huntress researchers uncovered a campaign where attackers posed as IT support, using email spam and follow-up phone calls to coerce victims into granting remote access and visiting a counterfeit Microsoft page hosted on AWS. The fake site harvested credentials and prompted a download that executed a legitimate binary which sideloaded a malicious DLL to launch the Havoc Demon. The intrusions showed rapid lateral movement, scheduled-task persistence, and use of legitimate RMM tools as backup persistence.
read more →

CRESCENTHARVEST Campaign Targets Iran Protest Supporters

🛡️ Acronis Threat Research Unit disclosed CRESCENTHARVEST, a campaign observed after January 9 that targets Farsi-speaking supporters of Iran's protests with a remote access trojan and information stealer. Attackers lure victims with protest-themed archives and double-extension .LNK shortcuts that run PowerShell to fetch a secondary ZIP while opening benign media. The payload sideloads DLLs via a Google-signed software_reporter_tool.exe, extracts Chrome app-bound keys, harvests browser and Telegram data, logs keystrokes, and communicates with a WinHTTP C2 at servicelog-information[.]com.
read more →

GE Vernova Enervista UR Setup Vulnerabilities Fixed

🔒 GE Vernova released updates for Enervista UR Setup to address two vulnerabilities. The installer is vulnerable to DLL hijacking (CVE-2026-1762), which could allow administrative code execution when run in directories containing untrusted DLLs. A second issue is a path traversal (CVE-2026-1763) that can overwrite files as the logged-in user. Users should update to version 8.70 or later.
read more →

Siemens SINEC NMS and UMC DLL Load Vulnerabilities

⚠️ Siemens has published fixes for two local privilege escalation vulnerabilities affecting SINEC NMS and the User Management Component (UMC). A low-privileged user could modify configuration files to force the application to load malicious DLLs, potentially enabling arbitrary code execution with elevated (including SYSTEM) privileges. The issues are tracked as CVE-2026-25655 and CVE-2026-25656 (CWE-427) with a CVSS v3.1 base score of 7.8. Administrators should apply SINEC NMS V4.0 SP2 and UMC V2.15.2.1 or later as provided by Siemens ProductCERT.
read more →

China-linked Amaranth-Dragon targets Southeast Asia in 2025

🔍 Check Point Research identified a China-linked cluster named Amaranth-Dragon that conducted narrowly focused cyber espionage across Southeast Asia throughout 2025, primarily targeting government and law enforcement entities. Attacks exploited CVE-2025-8088 in WinRAR and used DLL side-loading to deploy an Amaranth Loader and the Havoc C2, while variants like TGAmaranth RAT leveraged a hard-coded Telegram bot. The operators limited exposure by geo-restricting Cloudflare-protected C2s and exhibited tooling and operational overlaps with the APT41 ecosystem.
read more →

Amaranth Dragon exploits WinRAR flaw in espionage campaign

🔐 A new espionage actor dubbed Amaranth Dragon, linked to APT41, has exploited the CVE-2025-8088 vulnerability in WinRAR to target government and law enforcement organizations across Southeast Asia. Attackers abused Windows Alternate Data Streams and delivered ZIP archives with .LNK and .BAT stagers to drop a loader, then used DLL sideloading of a digitally signed executable for persistence via the Startup folder and Registry Run keys. The custom Amaranth Loader retrieves AES-encrypted payloads from Cloudflare-hosted C2 servers geofenced to accept traffic only from targeted regions, frequently delivering the Havoc post-exploitation framework or a new TGAmaranth RAT that uses a Telegram bot for command-and-control. Check Point published IoCs and YARA rules; organizations are advised to update WinRAR to 7.13 or later (7.20 available).
read more →

Multi-Stage Windows Malware Campaign Abusing Defendnot

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.
read more →

LinkedIn Messages Used to Distribute RAT via DLL Sideload

📩 ReliaQuest researchers uncovered a LinkedIn-based phishing campaign that delivers weaponized WinRAR self-extracting archives to targets. The archive extracts four components: a legitimate open-source PDF reader, a malicious DLL used for DLL sideloading, a portable Python interpreter PE, and a decoy RAR. When the PDF reader is run the rogue DLL is sideloaded, drops the Python interpreter, creates a Windows Run registry key, and executes Base64-encoded open-source shellcode in memory to deploy a remote access trojan. The campaign leverages social media DMs and legitimate tools to evade detection and maintain persistent access.
read more →

LinkedIn phishing uses legitimate tools to deploy RAT

🔒 Researchers at ReliaQuest uncovered a LinkedIn-based phishing campaign that delivers a Remote Access Trojan by abusing legitimate software. Attackers send role-tailored messages containing a WinRAR self-extracting archive that unpacks a legitimate open-source PDF reader alongside a malicious DLL that uses DLL sideloading. The campaign leverages a real penetration-testing tool to establish persistence, enabling data exfiltration and lateral movement.
read more →

PDFSider Windows Backdoor Targeted Fortune 100 Firm

🔐 Researchers discovered a stealthy Windows backdoor named PDFSider during incident response at a Fortune 100 finance firm; the tool has been linked to Qilin ransomware operations and is now observed with multiple ransomware groups. Attackers used spearphishing with a ZIP containing a legitimately signed PDF24 Creator executable and a malicious cryptbase.dll to achieve DLL side-loading and bypass EDRs. The in-memory backdoor uses AES-256-GCM for encrypted C2, exfiltrates system data over DNS, launches commands via anonymous pipes to CMD, and employs anti-analysis checks to maintain long-term covert access.
read more →

PDFSIDER: Encrypted Backdoor Uses DLL Side-Loading Toolkit

🔒 Resecurity researchers have identified a sophisticated backdoor called PDFSIDER, delivered via DLL side-loading from a trojanized, digitally signed PDF utility. The malware embeds the Botan crypto library and uses AES-256-GCM for an encrypted C2 channel, executing commands via cmd.exe entirely in memory and returning output over anonymous pipes. It performs anti-VM and debugger checks, exfiltrates data (including over DNS/53), and is assessed as targeted tradecraft that evades many AV and EDR products.
read more →

Malicious DLL Sideloading Campaign Impersonating Vendors

🔍 This Flash Hunting Findings brief describes an active campaign (Jan 11–15, 2026) distributing ZIP archives that impersonate vendors such as Malwarebytes and use a consistent behash (4acaac53c8340a8c236c91e68244e6cb) for identification. Each archive bundles a legitimate EXE and a malicious CoreMessaging.dll which is executed via DLL sideloading and subsequently drops secondary-stage infostealers. Analysts can pivot using embedded TXT files (gitconfig.com.txt / Agreement_About.txt), unique metadata signature strings, exported function names, the supplied YARA rule, or the VirusTotal collection to map related infrastructure.
read more →

c-ares DLL Side-Loading Enables Malware Deployment

🔒 Researchers detail an active campaign abusing a DLL side-loading flaw in the open-source c-ares runtime to evade defenses and deploy commodity trojans and stealers. Attackers pair a malicious libcares-2.dll with signed copies of ahost.exe (commonly from GitKraken) placed in the same folder to hijack load order and achieve code execution. The operation distributes families including Agent Tesla, CryptBot, Formbook, Vidar, Lumma, Remcos and others using invoice- and RFQ-themed lures in multiple languages targeting finance, procurement and admin roles.
read more →

Black Cat SEO Poisoning Campaign Distributes Backdoor

🚨A cybercrime gang known as Black Cat has been linked to an SEO poisoning campaign that tricks users with fake download pages for popular programs such as Google Chrome and Notepad++. Visitors are redirected to a GitHub‑mimicking host where a ZIP delivers an installer that creates a desktop shortcut which side‑loads a malicious DLL and deploys a backdoor. The backdoor contacts a hard‑coded C2 and can steal browser data, log keystrokes and capture clipboard contents. Users should avoid clicking unknown search results and download software only from official sources.
read more →

Varex AJAT Panoramic Dental Imaging DLL Hijack Vulnerability

⚠️ CISA warns of a DLL hijacking (Uncontrolled Search Path Element, CWE-427) in AJAT Panoramic Dental Imaging Software from Varex Imaging (CVE-2024-22774). Versions prior to 6.6.1.490 may allow a local, low-complexity exploit that lets a standard user escalate to NT AUTHORITY\SYSTEM. Varex has released a patch; administrators should run AJAT_DENTAL_IMAGING_9.4.55.9888.exe on affected workstations and contact the vendor for assistance.
read more →

WIRTE Uses AshenLoader Sideloading to Deploy AshTag

🔒 WIRTE (tracked as Ashen Lepus by Palo Alto Networks) has been observed using benign binaries to sideload a malicious DLL named AshenLoader, which drops additional components to deploy the AshTag .NET backdoor. The intrusion chain begins with a decoy PDF and a RAR archive from file-sharing services, leading to in-memory execution of a stager to minimize forensic traces. Targets are primarily government and diplomatic entities in the Middle East, with recent expansion to Oman and Morocco. Operators have been observed staging diplomacy-related documents and exfiltrating them using Rclone.
read more →

IAB Abuses EDR and Windows Utilities for Stealthy Malware

🔐Storm-0249, an initial access broker, is abusing endpoint detection and response (EDR) components and trusted Windows utilities to execute malware stealthily. In one analyzed incident the actor used social engineering to run curl commands that installed a malicious MSI which drops a DLL placed beside the legitimate SentinelAgentWorker.exe, then performs DLL sideloading to run attacker code inside the signed EDR process. Additional payloads are piped into memory via PowerShell from a spoofed domain, avoiding disk-based detection. Researchers recommend behavior-based detection for trusted processes loading unsigned DLLs and stricter controls on curl, PowerShell, and living-off-the-land binaries.
read more →

Storm-0249 Shifts to Fileless Execution and DLL Sideloader

🚨 ReliaQuest warns that Storm-0249 appears to be evolving from an initial access broker into an active operator, adopting domain spoofing, DLL side-loading and fileless PowerShell execution to facilitate ransomware intrusions. The actor used a Microsoft-mimicking URL and the Windows Run dialog to fetch and execute a PowerShell script that installed a trojanized SentinelOne DLL via a malicious MSI. This technique leverages living-off-the-land utilities and signed processes to maintain persistence and evade detection.
read more →

Google Details BadAudio Malware Used by China APT24

🔐 Google Threat Intelligence Group (GTIG) disclosed a previously undocumented loader, BadAudio, used by China-linked APT24 in a multi-year espionage campaign that employed spearphishing, watering-hole infections, and supply-chain compromises. The loader is heavily obfuscated, leverages DLL search-order hijacking and control-flow flattening, and exfiltrates encrypted system data to hard-coded C2 servers. In at least one observed case it delivered an Cobalt Strike Beacon, and many samples remained undetected by most antivirus engines.
read more →

Siemens DLL Hijacking in Software Center and Solid Edge

⚠ Siemens disclosed a DLL hijacking vulnerability (CVE-2025-40827) affecting Siemens Software Center and Solid Edge SE2025. The issue is an uncontrolled search path element (CWE-427) that could permit arbitrary code execution if a crafted DLL is placed on a system. Siemens has published fixes (Software Center v3.5+, Solid Edge V225.0 Update 10+) and recommends network isolation, access controls, and following its industrial security guidance to reduce risk.
read more →