This active malware campaign exploits a DLL side-loading vulnerability involving the legitimate ahost.exe binary signed by GitKraken, which is part of the open-source c-ares library. Attackers place a malicious libcares-2.dll in the same directory as ahost.exe, exploiting Windows DLL search order hijacking to execute malicious code under the guise of a trusted signed executable. This technique allows the malware to bypass traditional signature-based security controls, making detection difficult. The campaign distributes a variety of commodity malware including Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm, which facilitate credential theft, remote access, and data exfiltration. Targets are primarily employees in finance, procurement, supply chain, and administration within commercial and industrial sectors such as oil and gas and import/export. Phishing lures are crafted in Arabic, Spanish, Portuguese, Farsi, and English, indicating a regional focus. The attackers use invoice and request for quote themed filenames to trick victims into executing the malicious payload. The campaign also employs living-off-the-land techniques, abusing Windows native tools like PowerShell and Windows Script Host, and leverages cloud services such as Cloudflare, Netlify, and Vercel to host malicious payloads and evade detection. The campaign’s sophistication is underscored by its use of signed binaries, multi-stage infection chains, and social engineering tactics that exploit user trust and familiarity with legitimate software and authentication flows. Although no CVSS score is provided, the medium severity rating reflects the campaign’s ability to evade defenses and deploy a broad range of malware capable of persistent access and data theft.

For European organizations, especially those in critical commercial and industrial sectors like oil and gas, import/export, finance, procurement, and supply chain management, this threat poses significant risks. The use of signed legitimate binaries to bypass security controls increases the likelihood of successful infection and persistence within networks. Compromise could lead to credential theft, unauthorized remote access, data exfiltration, and disruption of critical business operations. The multilingual phishing lures suggest targeted attacks on diverse European populations, increasing the risk of successful social engineering. The campaign’s evasion of signature-based defenses complicates detection and response, potentially allowing attackers to maintain long-term access. Additionally, the abuse of cloud infrastructure for payload hosting can circumvent traditional perimeter defenses. The impact extends beyond immediate data loss to potential regulatory and reputational damage under GDPR and other European data protection laws. Organizations may face operational disruptions, financial losses, and exposure of sensitive commercial information.

European organizations should implement advanced endpoint detection and response (EDR) solutions capable of detecting DLL side-loading and anomalous process behaviors rather than relying solely on signature-based antivirus. Employ application whitelisting and restrict execution of unsigned or unexpected DLLs in directories containing signed binaries. Conduct thorough monitoring of ahost.exe and related processes for unusual activity or unexpected DLL loads. Enhance phishing defenses by deploying advanced email filtering, user training focused on invoice and RFQ-themed social engineering, and multi-factor authentication to reduce credential theft impact. Regularly audit and restrict the use of living-off-the-land tools such as PowerShell and Windows Script Host, applying strict execution policies and logging. Network segmentation and least privilege principles should be enforced to limit lateral movement. Monitor and block suspicious outbound connections to cloud hosting services known to be abused in this campaign (e.g., Cloudflare, Netlify, Vercel). Incident response plans should include procedures for DLL side-loading detection and remediation. Finally, maintain updated threat intelligence feeds to stay informed about emerging variants and indicators of compromise related to this campaign.