home.social

#dllsideloading — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #dllsideloading, aggregated by home.social.

fetched live
  1. ----------------

    🎯 Threat Intelligence: Seedworm (MuddyWater) Q1 2026 Espionage Campaign
    ===================

    Iran-linked espionage group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten), attributed to Iran's MOIS, conducted a broad campaign in Q1 2026. At least nine organizations across nine countries on four continents were compromised, including a major South Korean electronics manufacturer (operators persisted for a full week in February 2026), a Middle Eastern international airport, government agencies, Southeast Asian industrial manufacturers, a Latin American financial-services provider, and educational institutions. Every target held information of intelligence value to Tehran.

    🔹 Technical Details

    The campaign relied on DLL sideloading with two pairs of legitimate, signed binaries:

    1. Fortemedia fmapp.exe / fmapp.dll: Legitimate audio-driver utility abused to sideload a malicious DLL. Previously documented by Group-IB in Seedworm reporting.

    2. SentinelOne sentinelmemoryscanner.exe / sentinelagentcore.dll: Legitimate, signed endpoint component abused to sideload malicious code. Using a security-product binary defeats path and signature-based detection and confuses triage.

    Both malicious DLLs contain ChromElevator, a publicly available post-exploitation tool that steals passwords, cookies, and payment card data from Chromium-based browsers.

    In both cases, node.exe was the parent process at execution time, indicating the sideloading was orchestrated by a Node.js script rather than user execution. A Node.js script was found embedded in an XML file on targeted hosts.

    🔹 Analysis

    This campaign reflects a tactical shift. Seedworm has historically been a prolific PowerShell user, but here PowerShell was delivered and orchestrated through Node.js. The group's previous campaign used Deno. This experimentation with scripting runtimes is likely an evasion measure.

    Multiple credential theft and privilege escalation tools were deployed iteratively, suggesting operators worked through their toolkit searching for viable paths to elevated access. One credential harvester (SHA256: d587959841a763669279ad831b8f0379f6a7b037dffc19deab5d41f37f8b5ffc) calls CredUIPromptForWindowsCredentialsW, triggering the standard Windows credential prompt to harvest credentials.

    PowerShell scripts pulled from a staging server performed reconnaissance, screenshot capture, SAM hive theft, and SOCKS5 reverse-proxy tunnelling.

    🔹 Attack Chain Analysis
    • Initial Access: Not detailed in source
    • Execution: Node.js scripts embedded in XML files orchestrate payload delivery
    • Persistence: DLL sideloading via legitimate signed binaries
    • Credential Access: ChromElevator for browser data; CredUIPromptForWindowsCredentialsW harvester
    • Privilege Escalation: Iterative deployment of multiple escalation tools
    • Collection: Screenshot capture, SAM hive theft
    • C2: SOCKS5 reverse-proxy tunnelling

    🔹 Detection
    • Hunt for node.exe as parent of unexpected processes, especially those loading signed binaries from non-standard paths
    • Flag DLL sideloading patterns: fmapp.dll and sentinelagentcore.dll loaded from unusual locations
    • Monitor for CredUIPromptForWindowsCredentialsW calls from suspicious processes
    • Review SentinelOne and Fortemedia binary execution paths for anomalies

    🔹 Limitations

    Source does not specify the initial access vector. Attribution to MOIS is described as "widely believed" rather than definitively confirmed. Campaign scope may exceed the nine confirmed organizations.

    🔹 seedworm #muddywater #threatintelligence #dllsideloading #iran

    🔗 Source: security.com/threat-intelligen

  2. MuddyWater Exploits DLL Side-Loading in Global Espionage Push

    MuddyWater hackers have launched a massive global espionage campaign, infiltrating at least nine organizations across four continents by cleverly disguising malicious code as legitimate software. They used a sneaky trick called DLL side-loading to quietly steal credentials and browser data.

    osintsights.com/muddywater-exp

    #Muddywater #DllSideloading #GlobalEspionage #Apt #EmergingThreats

  3. Seedworm APT is abusing legitimately signed binaries for DLL sideloading — turning the system's own trust mechanisms against itself. There's something almost poetic about using a signed, "trusted" binary as a trojan horse. It's a good reminder: trust hierarchies need to be verified, not assumed. 🧩 #infosec #APT #DLLSideloading
    gbhackers.com/seedworm-apt-abu

  4. Iranian Hackers Target Electronics Maker in Global Espionage Push

    Iran-linked hackers, known as MuddyWater, infiltrated a major South Korean electronics manufacturer's network for a week in February 2026, as part of a massive global cyber-espionage campaign targeting nine high-profile organizations across multiple sectors and countries.

    osintsights.com/iranian-hacker

    #Muddywater #Seedworm #CyberEspionage #DllSideloading #Chromelevator

  5. TCLBanker Malware Spreads Rapidly via WhatsApp, Outlook

    Beware of a rapidly spreading malware, TCLBanker, that's infecting 59 major banking, fintech, and cryptocurrency platforms through sneaky WhatsApp and Outlook attacks. This sneaky trojan uses a fake Logitech AI Prompt Builder installer to wreak havoc on your digital security.

    osintsights.com/tclbanker-malw

    #TclbankerMalware #Whatsapp #Outlook #LogitechAiPromptBuilder #DllSideloading

  6. Malicious Site Exploits AI Interest to Deploy Beagle Backdoor

    Beware of a fake website masquerading as Anthropic's Claude interface, tricking users into downloading a 505 MB ZIP archive that unleashes a new, previously undocumented Windows backdoor called Beagle. This malicious campaign uses a convincing imitation of the legitimate site to spread the infection.

    osintsights.com/malicious-site

    #BeagleBackdoor #AiMalware #WindowsMalware #Malvertising #DllSideloading

  7. Kong RAT: la nuova campagna di SEO poisoning con dropper NativeAOT .NET 10 che prende di mira gli sviluppatori cinesi

    eSentire TRU ha documentato Kong RAT, un impianto modulare distribuito via installer contraffatti di FinalShell, Xshell, QuickQ e Clash. La catena a sei stadi sfrutta un dropper NativeAOT in .NET 10 — non analizzabile con i tool CLR classici — DLL sideloading su rc.exe, PEB masquerading come explorer.exe e shellcode eseguito via callback EnumWindows. Un salto di qualita rispetto alle campagne Gh0st/kkRAT.

    insicurezzadigitale.com/kong-r

  8. Kong RAT: la nuova campagna di SEO poisoning con dropper NativeAOT .NET 10 che prende di mira gli sviluppatori cinesi

    eSentire TRU ha documentato Kong RAT, un impianto modulare distribuito via installer contraffatti di FinalShell, Xshell, QuickQ e Clash. La catena a sei stadi sfrutta un dropper NativeAOT in .NET 10 — non analizzabile con i tool CLR classici — DLL sideloading su rc.exe, PEB masquerading come explorer.exe e shellcode eseguito via callback EnumWindows. Un salto di qualita rispetto alle campagne Gh0st/kkRAT.

    insicurezzadigitale.com/kong-r

  9. Niebezpieczny atak socjotechniczny wykorzystujący znane oprogramowanie CPUID

    Ostatnie miesiące przyzwyczaiły nas do ataków na łańcuch dostaw, które zwykle polegają na dodaniu złośliwej zależności do powszechnie używanego oprogramowania. Zmiany te, mogą już na etapie instalacji pakietu spowodować przejęcie systemu, na którym zostały uruchomione. Tym razem niezidentyfikowani sprawcy nie zdołali (nie musieli?) atakować zależności oprogramowania diagnostycznego CPUID (chodzi o...

    #WBiegu #Cpuz #Dllsideloading #Hardwaremonitor #Repackingattack #Supplychain

    sekurak.pl/niebezpieczny-atak-

  10. Niebezpieczny atak socjotechniczny wykorzystujący znane oprogramowanie CPUID

    Ostatnie miesiące przyzwyczaiły nas do ataków na łańcuch dostaw, które zwykle polegają na dodaniu złośliwej zależności do powszechnie używanego oprogramowania. Zmiany te, mogą już na etapie instalacji pakietu spowodować przejęcie systemu, na którym zostały uruchomione. Tym razem niezidentyfikowani sprawcy nie zdołali (nie musieli?) atakować zależności oprogramowania diagnostycznego CPUID (chodzi o...

    #WBiegu #Cpuz #Dllsideloading #Hardwaremonitor #Repackingattack #Supplychain

    sekurak.pl/niebezpieczny-atak-

  11. Nowa kampania phishingowa – prywatne wiadomości w LinkedIn mogą prowadzić do instalacji RAT

    Badacze bezpieczeństwa z ReliaQuest wykryli nową kampanię phishingową, w której atakujący wykorzystują platformę LinkedIn do dostarczenia złośliwego oprogramowania. Nie byłoby w tym nic nadzwyczajnego, gdyby nie fakt, że cyberprzestępcy wybrali za cel kadrę zarządzającą oraz administratorów IT, którzy z próbami oszustwa spotykają się na co dzień.  TLDR: Co więcej, wykorzystany...

    #WBiegu #DllSideLoading #Linkedin #Phishing #Python #RAT

    sekurak.pl/nowa-kampania-phish

  12. Nowa kampania phishingowa – prywatne wiadomości w LinkedIn mogą prowadzić do instalacji RAT

    Badacze bezpieczeństwa z ReliaQuest wykryli nową kampanię phishingową, w której atakujący wykorzystują platformę LinkedIn do dostarczenia złośliwego oprogramowania. Nie byłoby w tym nic nadzwyczajnego, gdyby nie fakt, że cyberprzestępcy wybrali za cel kadrę zarządzającą oraz administratorów IT, którzy z próbami oszustwa spotykają się na co dzień.  TLDR: Co więcej, wykorzystany...

    #WBiegu #DllSideLoading #Linkedin #Phishing #Python #RAT

    sekurak.pl/nowa-kampania-phish

  13. Phishing emails that look legit and hidden DLLs are paving the way for a new breed of cyber threats. How did attackers upgrade from a simple infostealer to a full-blown RAT? Dive into the evolution of PureRAT to find out.

    thedefendopsdiaries.com/dissec

    #purerat
    #cyberattack
    #dllsideloading
    #remotetrojan
    #defenseevasion

  14. Phishing emails that look legit and hidden DLLs are paving the way for a new breed of cyber threats. How did attackers upgrade from a simple infostealer to a full-blown RAT? Dive into the evolution of PureRAT to find out.

    thedefendopsdiaries.com/dissec

    #purerat
    #cyberattack
    #dllsideloading
    #remotetrojan
    #defenseevasion

  15. Happy Monday everyone!

    Looking for ACTIONABLE information on #DLLSideLoading? Look no further than this complete article from the Securonix Threat Research team. They provide a clear overview of the technique, provide the answer to the question "Why should I be worried?", give examples of real-world malware that used it, and some great detection and hunt opportunities. This is well worth the read and I hope you enjoy! Happy Hunting!

    Securonix Threat Research Knowledge Sharing Series: Detecting DLL Sideloading Techniques Found In Recent Real-world Malware Attack Chains
    securonix.com/blog/detecting-d

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  16. Happy Monday everyone!

    Looking for ACTIONABLE information on #DLLSideLoading? Look no further than this complete article from the Securonix Threat Research team. They provide a clear overview of the technique, provide the answer to the question "Why should I be worried?", give examples of real-world malware that used it, and some great detection and hunt opportunities. This is well worth the read and I hope you enjoy! Happy Hunting!

    Securonix Threat Research Knowledge Sharing Series: Detecting DLL Sideloading Techniques Found In Recent Real-world Malware Attack Chains
    securonix.com/blog/detecting-d

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday