#dllsideloading — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #dllsideloading, aggregated by home.social.
-
📬 GTA 6 Early Access: Fake-Webseiten locken Fans in Krypto-Falle
#Gaming #ITSicherheit #BankingTrojaner #Cybercrime #DLLSideloading #FakeWebseiten #GTA6EarlyAccess #KryptoZahlungen #Malware #Phishing #Scam #socialengineering https://sc.tarnkappe.info/8f96be -
📬 GTA 6 Early Access: Fake-Webseiten locken Fans in Krypto-Falle
#Gaming #ITSicherheit #BankingTrojaner #Cybercrime #DLLSideloading #FakeWebseiten #GTA6EarlyAccess #KryptoZahlungen #Malware #Phishing #Scam #socialengineering https://sc.tarnkappe.info/8f96be -
----------------
🎯 Threat Intelligence: Seedworm (MuddyWater) Q1 2026 Espionage Campaign
===================Iran-linked espionage group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten), attributed to Iran's MOIS, conducted a broad campaign in Q1 2026. At least nine organizations across nine countries on four continents were compromised, including a major South Korean electronics manufacturer (operators persisted for a full week in February 2026), a Middle Eastern international airport, government agencies, Southeast Asian industrial manufacturers, a Latin American financial-services provider, and educational institutions. Every target held information of intelligence value to Tehran.
🔹 Technical Details
The campaign relied on DLL sideloading with two pairs of legitimate, signed binaries:
1. Fortemedia fmapp.exe / fmapp.dll: Legitimate audio-driver utility abused to sideload a malicious DLL. Previously documented by Group-IB in Seedworm reporting.
2. SentinelOne sentinelmemoryscanner.exe / sentinelagentcore.dll: Legitimate, signed endpoint component abused to sideload malicious code. Using a security-product binary defeats path and signature-based detection and confuses triage.
Both malicious DLLs contain ChromElevator, a publicly available post-exploitation tool that steals passwords, cookies, and payment card data from Chromium-based browsers.
In both cases, node.exe was the parent process at execution time, indicating the sideloading was orchestrated by a Node.js script rather than user execution. A Node.js script was found embedded in an XML file on targeted hosts.
🔹 Analysis
This campaign reflects a tactical shift. Seedworm has historically been a prolific PowerShell user, but here PowerShell was delivered and orchestrated through Node.js. The group's previous campaign used Deno. This experimentation with scripting runtimes is likely an evasion measure.
Multiple credential theft and privilege escalation tools were deployed iteratively, suggesting operators worked through their toolkit searching for viable paths to elevated access. One credential harvester (SHA256: d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc) calls CredUIPromptForWindowsCredentialsW, triggering the standard Windows credential prompt to harvest credentials.
PowerShell scripts pulled from a staging server performed reconnaissance, screenshot capture, SAM hive theft, and SOCKS5 reverse-proxy tunnelling.
🔹 Attack Chain Analysis
• Initial Access: Not detailed in source
• Execution: Node.js scripts embedded in XML files orchestrate payload delivery
• Persistence: DLL sideloading via legitimate signed binaries
• Credential Access: ChromElevator for browser data; CredUIPromptForWindowsCredentialsW harvester
• Privilege Escalation: Iterative deployment of multiple escalation tools
• Collection: Screenshot capture, SAM hive theft
• C2: SOCKS5 reverse-proxy tunnelling🔹 Detection
• Hunt for node.exe as parent of unexpected processes, especially those loading signed binaries from non-standard paths
• Flag DLL sideloading patterns: fmapp.dll and sentinelagentcore.dll loaded from unusual locations
• Monitor for CredUIPromptForWindowsCredentialsW calls from suspicious processes
• Review SentinelOne and Fortemedia binary execution paths for anomalies🔹 Limitations
Source does not specify the initial access vector. Attribution to MOIS is described as "widely believed" rather than definitively confirmed. Campaign scope may exceed the nine confirmed organizations.
🔹 seedworm #muddywater #threatintelligence #dllsideloading #iran
🔗 Source: https://www.security.com/threat-intelligence/iran-seedworm-electronics
-
MuddyWater Exploits DLL Side-Loading in Global Espionage Push
MuddyWater hackers have launched a massive global espionage campaign, infiltrating at least nine organizations across four continents by cleverly disguising malicious code as legitimate software. They used a sneaky trick called DLL side-loading to quietly steal credentials and browser data.
#Muddywater #DllSideloading #GlobalEspionage #Apt #EmergingThreats
-
Seedworm APT is abusing legitimately signed binaries for DLL sideloading — turning the system's own trust mechanisms against itself. There's something almost poetic about using a signed, "trusted" binary as a trojan horse. It's a good reminder: trust hierarchies need to be verified, not assumed. 🧩 #infosec #APT #DLLSideloading
https://gbhackers.com/seedworm-apt-abuses-signed-binaries/ -
Iranian Hackers Target Electronics Maker in Global Espionage Push
Iran-linked hackers, known as MuddyWater, infiltrated a major South Korean electronics manufacturer's network for a week in February 2026, as part of a massive global cyber-espionage campaign targeting nine high-profile organizations across multiple sectors and countries.
#Muddywater #Seedworm #CyberEspionage #DllSideloading #Chromelevator
-
TCLBanker Malware Spreads Rapidly via WhatsApp, Outlook
Beware of a rapidly spreading malware, TCLBanker, that's infecting 59 major banking, fintech, and cryptocurrency platforms through sneaky WhatsApp and Outlook attacks. This sneaky trojan uses a fake Logitech AI Prompt Builder installer to wreak havoc on your digital security.
#TclbankerMalware #Whatsapp #Outlook #LogitechAiPromptBuilder #DllSideloading
-
Malicious Site Exploits AI Interest to Deploy Beagle Backdoor
Beware of a fake website masquerading as Anthropic's Claude interface, tricking users into downloading a 505 MB ZIP archive that unleashes a new, previously undocumented Windows backdoor called Beagle. This malicious campaign uses a convincing imitation of the legitimate site to spread the infection.
#BeagleBackdoor #AiMalware #WindowsMalware #Malvertising #DllSideloading
-
Kong RAT: la nuova campagna di SEO poisoning con dropper NativeAOT .NET 10 che prende di mira gli sviluppatori cinesi
eSentire TRU ha documentato Kong RAT, un impianto modulare distribuito via installer contraffatti di FinalShell, Xshell, QuickQ e Clash. La catena a sei stadi sfrutta un dropper NativeAOT in .NET 10 — non analizzabile con i tool CLR classici — DLL sideloading su rc.exe, PEB masquerading come explorer.exe e shellcode eseguito via callback EnumWindows. Un salto di qualita rispetto alle campagne Gh0st/kkRAT. -
Kong RAT: la nuova campagna di SEO poisoning con dropper NativeAOT .NET 10 che prende di mira gli sviluppatori cinesi
eSentire TRU ha documentato Kong RAT, un impianto modulare distribuito via installer contraffatti di FinalShell, Xshell, QuickQ e Clash. La catena a sei stadi sfrutta un dropper NativeAOT in .NET 10 — non analizzabile con i tool CLR classici — DLL sideloading su rc.exe, PEB masquerading come explorer.exe e shellcode eseguito via callback EnumWindows. Un salto di qualita rispetto alle campagne Gh0st/kkRAT. -
Niebezpieczny atak socjotechniczny wykorzystujący znane oprogramowanie CPUID
Ostatnie miesiące przyzwyczaiły nas do ataków na łańcuch dostaw, które zwykle polegają na dodaniu złośliwej zależności do powszechnie używanego oprogramowania. Zmiany te, mogą już na etapie instalacji pakietu spowodować przejęcie systemu, na którym zostały uruchomione. Tym razem niezidentyfikowani sprawcy nie zdołali (nie musieli?) atakować zależności oprogramowania diagnostycznego CPUID (chodzi o...
#WBiegu #Cpuz #Dllsideloading #Hardwaremonitor #Repackingattack #Supplychain
https://sekurak.pl/niebezpieczny-atak-socjotechniczny-wykorzystujacy-znane-oprogramowanie-cpuid/
-
Niebezpieczny atak socjotechniczny wykorzystujący znane oprogramowanie CPUID
Ostatnie miesiące przyzwyczaiły nas do ataków na łańcuch dostaw, które zwykle polegają na dodaniu złośliwej zależności do powszechnie używanego oprogramowania. Zmiany te, mogą już na etapie instalacji pakietu spowodować przejęcie systemu, na którym zostały uruchomione. Tym razem niezidentyfikowani sprawcy nie zdołali (nie musieli?) atakować zależności oprogramowania diagnostycznego CPUID (chodzi o...
#WBiegu #Cpuz #Dllsideloading #Hardwaremonitor #Repackingattack #Supplychain
https://sekurak.pl/niebezpieczny-atak-socjotechniczny-wykorzystujacy-znane-oprogramowanie-cpuid/
-
Nowa kampania phishingowa – prywatne wiadomości w LinkedIn mogą prowadzić do instalacji RAT
Badacze bezpieczeństwa z ReliaQuest wykryli nową kampanię phishingową, w której atakujący wykorzystują platformę LinkedIn do dostarczenia złośliwego oprogramowania. Nie byłoby w tym nic nadzwyczajnego, gdyby nie fakt, że cyberprzestępcy wybrali za cel kadrę zarządzającą oraz administratorów IT, którzy z próbami oszustwa spotykają się na co dzień. TLDR: Co więcej, wykorzystany...
-
Nowa kampania phishingowa – prywatne wiadomości w LinkedIn mogą prowadzić do instalacji RAT
Badacze bezpieczeństwa z ReliaQuest wykryli nową kampanię phishingową, w której atakujący wykorzystują platformę LinkedIn do dostarczenia złośliwego oprogramowania. Nie byłoby w tym nic nadzwyczajnego, gdyby nie fakt, że cyberprzestępcy wybrali za cel kadrę zarządzającą oraz administratorów IT, którzy z próbami oszustwa spotykają się na co dzień. TLDR: Co więcej, wykorzystany...
-
📬 APT31: Hackergruppe nutzt Cloud zur Verschleierung
#Cyberangriffe #ITSicherheit #APT31 #DLLSideLoading #JudgementPanda #RANEPA #TA412 #YandexCloud #Zirconium https://sc.tarnkappe.info/04fc8c -
📬 APT31: Hackergruppe nutzt Cloud zur Verschleierung
#Cyberangriffe #ITSicherheit #APT31 #DLLSideLoading #JudgementPanda #RANEPA #TA412 #YandexCloud #Zirconium https://sc.tarnkappe.info/04fc8c -
Phishing emails that look legit and hidden DLLs are paving the way for a new breed of cyber threats. How did attackers upgrade from a simple infostealer to a full-blown RAT? Dive into the evolution of PureRAT to find out.
https://thedefendopsdiaries.com/dissecting-the-purerat-attack-chain-from-infostealer-to-full-rat/
#purerat
#cyberattack
#dllsideloading
#remotetrojan
#defenseevasion -
Phishing emails that look legit and hidden DLLs are paving the way for a new breed of cyber threats. How did attackers upgrade from a simple infostealer to a full-blown RAT? Dive into the evolution of PureRAT to find out.
https://thedefendopsdiaries.com/dissecting-the-purerat-attack-chain-from-infostealer-to-full-rat/
#purerat
#cyberattack
#dllsideloading
#remotetrojan
#defenseevasion -
Cobalt Strike Beacon delivered via GitHub and social media – Source: securelist.com https://ciso2ciso.com/cobalt-strike-beacon-delivered-via-github-and-social-media-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Targetedattacks #cyberespionage #DLLsideloading #Socialnetworks #Windowsmalware #securelistcom #CobaltStrike #DLLhijacking #shellcode #research #Malware #GitHub #Trojan
-
Cobalt Strike Beacon delivered via GitHub and social media – Source: securelist.com https://ciso2ciso.com/cobalt-strike-beacon-delivered-via-github-and-social-media-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Targetedattacks #cyberespionage #DLLsideloading #Socialnetworks #Windowsmalware #securelistcom #CobaltStrike #DLLhijacking #shellcode #research #Malware #GitHub #Trojan
-
GOLD BLADE Remote DLL Sideloading Attack Deploys RedLoader – Source: news.sophos.com https://ciso2ciso.com/gold-blade-remote-dll-sideloading-attack-deploys-redloader-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #DLLsideloading #ThreatResearch #nakedsecurity #nakedsecurity #Cybercrime #SophosXOps #GOLDBLADE #RedLoader #FEATURED #featured #WebDAV #webdav #LNK #lnk
-
GOLD BLADE Remote DLL Sideloading Attack Deploys RedLoader – Source: news.sophos.com https://ciso2ciso.com/gold-blade-remote-dll-sideloading-attack-deploys-redloader-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #DLLsideloading #ThreatResearch #nakedsecurity #nakedsecurity #Cybercrime #SophosXOps #GOLDBLADE #RedLoader #FEATURED #featured #WebDAV #webdav #LNK #lnk
-
The SOC files: Rumble in the jungle or APT41’s new target in Africa – Source: securelist.com https://ciso2ciso.com/the-soc-files-rumble-in-the-jungle-or-apt41s-new-target-in-africa-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #CyberSecurityNews #Targetedattacks #DLLsideloading #securelistcom #CobaltStrike #DLLhijacking #TIandIRposts #Incidents #APT #SOC
-
The SOC files: Rumble in the jungle or APT41’s new target in Africa – Source: securelist.com https://ciso2ciso.com/the-soc-files-rumble-in-the-jungle-or-apt41s-new-target-in-africa-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #CyberSecurityNews #Targetedattacks #DLLsideloading #securelistcom #CobaltStrike #DLLhijacking #TIandIRposts #Incidents #APT #SOC
-
Rumble in the jungle: APT41’s new target in Africa – Source: securelist.com https://ciso2ciso.com/rumble-in-the-jungle-apt41s-new-target-in-africa-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #CyberSecurityNews #Targetedattacks #DLLsideloading #securelistcom #CobaltStrike #DLLhijacking #TIandIRposts #Incidents #APT #SOC
-
Rumble in the jungle: APT41’s new target in Africa – Source: securelist.com https://ciso2ciso.com/rumble-in-the-jungle-apt41s-new-target-in-africa-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #CyberSecurityNews #Targetedattacks #DLLsideloading #securelistcom #CobaltStrike #DLLhijacking #TIandIRposts #Incidents #APT #SOC
-
Finding Minhook in a sideloading attack – and Sweden too – Source: news.sophos.com https://ciso2ciso.com/finding-minhook-in-a-sideloading-attack-and-sweden-too-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #DLLsideloading #ThreatResearch #nakedsecurity #nakedsecurity #cobaltstrike #minhook
-
Finding Minhook in a sideloading attack – and Sweden too – Source: news.sophos.com https://ciso2ciso.com/finding-minhook-in-a-sideloading-attack-and-sweden-too-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #DLLsideloading #ThreatResearch #nakedsecurity #nakedsecurity #cobaltstrike #minhook
-
New Cyber Threat Exposed: Advanced Techniques Used to Target German Systems https://thecyberexpress.com/sliver-impact-and-dll-sideloading/ #TheCyberExpressNews #TheCyberExpress #DLLSideloading #FirewallDaily #Sliverimplant #DarkWebNews #DLLProxying #CyberNews #silver #CRIL
-
New Cyber Threat Exposed: Advanced Techniques Used to Target German Systems https://thecyberexpress.com/sliver-impact-and-dll-sideloading/ #TheCyberExpressNews #TheCyberExpress #DLLSideloading #FirewallDaily #Sliverimplant #DarkWebNews #DLLProxying #CyberNews #silver #CRIL
-
Happy Monday everyone!
Looking for ACTIONABLE information on #DLLSideLoading? Look no further than this complete article from the Securonix Threat Research team. They provide a clear overview of the technique, provide the answer to the question "Why should I be worried?", give examples of real-world malware that used it, and some great detection and hunt opportunities. This is well worth the read and I hope you enjoy! Happy Hunting!
Securonix Threat Research Knowledge Sharing Series: Detecting DLL Sideloading Techniques Found In Recent Real-world Malware Attack Chains
https://www.securonix.com/blog/detecting-dll-sideloading-techniques-in-malware-attack-chains/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
Happy Monday everyone!
Looking for ACTIONABLE information on #DLLSideLoading? Look no further than this complete article from the Securonix Threat Research team. They provide a clear overview of the technique, provide the answer to the question "Why should I be worried?", give examples of real-world malware that used it, and some great detection and hunt opportunities. This is well worth the read and I hope you enjoy! Happy Hunting!
Securonix Threat Research Knowledge Sharing Series: Detecting DLL Sideloading Techniques Found In Recent Real-world Malware Attack Chains
https://www.securonix.com/blog/detecting-dll-sideloading-techniques-in-malware-attack-chains/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
It looks like someone found a way to DLL side load with sqlwriter.exe using the exported set_se_translator function :D
https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
-
It looks like someone found a way to DLL side load with sqlwriter.exe using the exported set_se_translator function :D
https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
-
📬 WerFault.exe: Hacker missbrauchen Windows-Fehlermeldungstool
#Malware #DLLSideloading #PupyRAT #RemoteAccessTrojaner #WerFaultexe #windows10 #Windows11 #WindowsFehlerbericht https://tarnkappe.info/artikel/malware/werfault-exe-hacker-missbrauchen-windows-fehlermeldungstool-262560.html -
📬 WerFault.exe: Hacker missbrauchen Windows-Fehlermeldungstool
#Malware #DLLSideloading #PupyRAT #RemoteAccessTrojaner #WerFaultexe #windows10 #Windows11 #WindowsFehlerbericht https://tarnkappe.info/artikel/malware/werfault-exe-hacker-missbrauchen-windows-fehlermeldungstool-262560.html