2 min read
Security researchers have disclosed an active malware campaign that exploits a DLL side-loading vulnerability in a legitimate binary linked to the open-source c-ares library to bypass security controls and deploy a wide range of malware, threat intelligence reports show.
According to Trellix’s analysis shared with cybersecurity news outlets, attackers pair a malicious libcares-2.dll file with a signed version of ahost.exe, a component typically distributed with GitKraken’s Desktop application, to execute their code instead of the legitimate library. This DLL side-loading technique allows the malware to evade signature-based detection and execute malicious payloads under the guise of trusted software.
The campaign has been observed distributing an assortment of commodity malware, including information stealers such as CryptBot, Lumma Stealer, and Vidar Stealer, remote access trojans (RATs) like Remcos and Quasar, and other malicious tools including Agent Tesla and DCRat. The variety of payloads underscores how side-loading can serve as a versatile delivery method for threat actors.
Researchers have seen the attacks crafted using lure files with names mimicking invoices, purchase orders, and other business-oriented PDFs (RFQ_NO_04958_LG2049 pdf.exe, sales contract po-00423-025_pdf.exe, Fatura da DHL.exe), a social engineering tactic designed to entice recipients to open the malicious executables. Once executed, the infected binary loads the rogue DLL and unlocks the corresponding malware.
Targets are reported predominantly in commercial and industrial sectors, including employees in finance, procurement, supply chain, and administration roles. The phishing lures themselves have been observed in multiple languages, including Arabic, Spanish, Portuguese, Farsi, and English, suggesting a coordinated, regionally focused campaign.
Underlying the attack is a well-understood but persistently effective technique in Windows environments known as DLL side-loading, which abuses the operating system’s DLL search order to load malicious libraries instead of legitimate ones placed alongside trusted executables. Security practitioners have documented side-loading as a common evasion and persistence method because it piggybacks on digitally signed software that would otherwise be trusted by endpoint defenses.
Threat intelligence specialists warn that side-loading attacks are difficult to detect with standard signature-based tools because they rely on legitimate applications to trigger execution of malicious code. Defenders typically need to employ behavior-based detection to spot anomalies in DLL loading and execution paths as an effective countermeasure.
