SLOW#TEMPEST Cobalt Strike Loader
An ISO image containing a malicious Cobalt Strike loader was discovered, targeting Chinese-speaking users. The infection chain involves a deceptive LNK file, which executes a legitimate Alibaba executable to sideload a malicious DLL. The loader implements anti-analysis techniques, decrypts an embedded payload, and injects a Cobalt Strike beacon. The beacon is configured to mimic Bilibili traffic and communicates with a specific C2 server. The loader also patches the entry point of the loading executable with an infinite loop. This activity shares similarities with previously reported SLOW#TEMPEST campaigns, including targeting, folder structures, and the use of DLL sideloading for Cobalt Strike beacons.
AI Analysis
Technical Summary
The SLOW#TEMPEST Cobalt Strike Loader is a sophisticated malware threat delivered via an ISO image targeting primarily Chinese-speaking users. The infection chain begins with a deceptive LNK (Windows shortcut) file that, when executed, runs a legitimate Alibaba executable. This legitimate executable is then exploited to sideload a malicious DLL, a technique that abuses the trust in signed or known binaries to load malicious code without raising immediate suspicion. The loader employs multiple anti-analysis techniques to evade detection and reverse engineering efforts. It decrypts an embedded payload in memory and injects a Cobalt Strike beacon, a well-known post-exploitation tool used by threat actors for command and control (C2) communications and lateral movement within compromised networks. Notably, the beacon is configured to mimic traffic patterns of Bilibili, a popular Chinese video streaming platform, likely to blend in with normal network traffic and evade network-based detection. Additionally, the loader patches the entry point of the loading executable with an infinite loop, effectively stalling the legitimate process to avoid raising suspicion or crashing. This campaign shares characteristics with previous SLOW#TEMPEST activities, including targeting profiles, folder structures, and the use of DLL sideloading to deploy Cobalt Strike beacons. The malware leverages multiple MITRE ATT&CK techniques such as T1218.011 (signed binary proxy execution), T1204.002 (user execution via LNK files), T1573.001 (encrypted channel), T1497.001 and T1497.003 (anti-debugging and anti-analysis), T1553.002 (DLL side-loading), T1140 (deobfuscate/decode files or information), T1055 (process injection), and others, indicating a highly evasive and persistent threat actor. Indicators of compromise include multiple file hashes and a suspicious domain used for C2 communications. While no known exploits in the wild have been reported, the complexity and stealth of this loader make it a significant threat to targeted environments.
Potential Impact
For European organizations, the direct targeting of Chinese-speaking users suggests a lower immediate risk; however, the techniques employed by this loader—such as DLL sideloading, process injection, and traffic masquerading—are broadly applicable and could be adapted to target European entities, especially those with business ties to China or Chinese-speaking employees. If deployed in Europe, this malware could lead to unauthorized access, data exfiltration, lateral movement, and persistent footholds within networks. The use of legitimate Alibaba executables for sideloading could bypass traditional signature-based detection, increasing the risk of successful compromise. The mimicry of Bilibili traffic could evade network monitoring tools, complicating incident detection and response. The infinite loop patching could cause denial of service or system instability. European organizations involved in technology, manufacturing, finance, or those with geopolitical relevance may be at increased risk if threat actors expand targeting. Additionally, the presence of anti-analysis techniques complicates forensic investigations and remediation efforts. The medium severity rating reflects the current targeted nature and lack of widespread exploitation but does not diminish the potential impact if adapted or expanded.
Mitigation Recommendations
1. Implement strict controls and monitoring around the execution of LNK files, especially those received via email or external sources, including disabling or restricting the use of LNK files where possible. 2. Employ application whitelisting and restrict execution of unauthorized or unexpected binaries, particularly focusing on Alibaba executables or other known sideloading targets. 3. Monitor for DLL sideloading activities by auditing DLL loads of critical executables and using endpoint detection and response (EDR) solutions capable of detecting anomalous DLL injection or process hollowing. 4. Analyze network traffic for anomalies, including unusual patterns mimicking Bilibili or other streaming services, and implement network segmentation to limit lateral movement. 5. Use behavioral detection tools that can identify anti-analysis techniques and infinite loop patches in executables. 6. Maintain up-to-date threat intelligence feeds to detect indicators of compromise such as the provided hashes and suspicious domains. 7. Conduct regular user awareness training focused on spear-phishing and social engineering tactics involving deceptive shortcuts or ISO images. 8. Employ multi-factor authentication and least privilege principles to limit the impact of potential beacon communications and lateral movement. 9. Establish robust incident response plans that include forensic capabilities to analyze sophisticated loaders and evasive malware. 10. Consider deploying deception technologies to detect and trap such advanced loaders early in the attack chain.
Affected Countries
United Kingdom, Germany, France, Netherlands, Italy, Spain
Indicators of Compromise
- hash: 99e99750335c38ca614b390cd4cde0c8
- hash: af1e45058dca830b095da6dd8c15b116
- hash: f3239582a1a0caf0ab72b13826b250babffbf72e
- hash: 1cb0560f614cc850422171ffe6b0b9f6b9ceaec4fe3516bc8493f253076470ab
- hash: 28030e8cf4c9c39665a0552e82da86781b00f099e240db83f1d1a3ae0e990ab6
- hash: 50fbe429848e16f08a6dbf6ce6d5bbff44db1e009f560e8b8c4cde6cff0a768b
- hash: 5efbd54a3a51d96fbc8e65815df2f0d95af21a34b99b8dc9a38590fb6d2094f8
- hash: 6573136f9b804ddc637f6be3a4536ed0013da7a5592b2f3a3cd37c0c71926365
- hash: a41c06ad948f3a21496e4d1f6b622ca84a365dd2087b710ed3e7f057e7a2a3f8
- hash: c28bd1a57e80861fce2597b1f5155a687bef434b0001632c8a53243718f5f287
- hash: f4bb263eb03240c1d779a00e1e39d3374c93d909d358691ca5386387d06be472
- domain: m.123huodong.com.cloud.cdntip.com.s2-web.dogedns.com
SLOW#TEMPEST Cobalt Strike Loader
Description
An ISO image containing a malicious Cobalt Strike loader was discovered, targeting Chinese-speaking users. The infection chain involves a deceptive LNK file, which executes a legitimate Alibaba executable to sideload a malicious DLL. The loader implements anti-analysis techniques, decrypts an embedded payload, and injects a Cobalt Strike beacon. The beacon is configured to mimic Bilibili traffic and communicates with a specific C2 server. The loader also patches the entry point of the loading executable with an infinite loop. This activity shares similarities with previously reported SLOW#TEMPEST campaigns, including targeting, folder structures, and the use of DLL sideloading for Cobalt Strike beacons.
AI-Powered Analysis
Technical Analysis
The SLOW#TEMPEST Cobalt Strike Loader is a sophisticated malware threat delivered via an ISO image targeting primarily Chinese-speaking users. The infection chain begins with a deceptive LNK (Windows shortcut) file that, when executed, runs a legitimate Alibaba executable. This legitimate executable is then exploited to sideload a malicious DLL, a technique that abuses the trust in signed or known binaries to load malicious code without raising immediate suspicion. The loader employs multiple anti-analysis techniques to evade detection and reverse engineering efforts. It decrypts an embedded payload in memory and injects a Cobalt Strike beacon, a well-known post-exploitation tool used by threat actors for command and control (C2) communications and lateral movement within compromised networks. Notably, the beacon is configured to mimic traffic patterns of Bilibili, a popular Chinese video streaming platform, likely to blend in with normal network traffic and evade network-based detection. Additionally, the loader patches the entry point of the loading executable with an infinite loop, effectively stalling the legitimate process to avoid raising suspicion or crashing. This campaign shares characteristics with previous SLOW#TEMPEST activities, including targeting profiles, folder structures, and the use of DLL sideloading to deploy Cobalt Strike beacons. The malware leverages multiple MITRE ATT&CK techniques such as T1218.011 (signed binary proxy execution), T1204.002 (user execution via LNK files), T1573.001 (encrypted channel), T1497.001 and T1497.003 (anti-debugging and anti-analysis), T1553.002 (DLL side-loading), T1140 (deobfuscate/decode files or information), T1055 (process injection), and others, indicating a highly evasive and persistent threat actor. Indicators of compromise include multiple file hashes and a suspicious domain used for C2 communications. While no known exploits in the wild have been reported, the complexity and stealth of this loader make it a significant threat to targeted environments.
Potential Impact
For European organizations, the direct targeting of Chinese-speaking users suggests a lower immediate risk; however, the techniques employed by this loader—such as DLL sideloading, process injection, and traffic masquerading—are broadly applicable and could be adapted to target European entities, especially those with business ties to China or Chinese-speaking employees. If deployed in Europe, this malware could lead to unauthorized access, data exfiltration, lateral movement, and persistent footholds within networks. The use of legitimate Alibaba executables for sideloading could bypass traditional signature-based detection, increasing the risk of successful compromise. The mimicry of Bilibili traffic could evade network monitoring tools, complicating incident detection and response. The infinite loop patching could cause denial of service or system instability. European organizations involved in technology, manufacturing, finance, or those with geopolitical relevance may be at increased risk if threat actors expand targeting. Additionally, the presence of anti-analysis techniques complicates forensic investigations and remediation efforts. The medium severity rating reflects the current targeted nature and lack of widespread exploitation but does not diminish the potential impact if adapted or expanded.
Mitigation Recommendations
1. Implement strict controls and monitoring around the execution of LNK files, especially those received via email or external sources, including disabling or restricting the use of LNK files where possible. 2. Employ application whitelisting and restrict execution of unauthorized or unexpected binaries, particularly focusing on Alibaba executables or other known sideloading targets. 3. Monitor for DLL sideloading activities by auditing DLL loads of critical executables and using endpoint detection and response (EDR) solutions capable of detecting anomalous DLL injection or process hollowing. 4. Analyze network traffic for anomalies, including unusual patterns mimicking Bilibili or other streaming services, and implement network segmentation to limit lateral movement. 5. Use behavioral detection tools that can identify anti-analysis techniques and infinite loop patches in executables. 6. Maintain up-to-date threat intelligence feeds to detect indicators of compromise such as the provided hashes and suspicious domains. 7. Conduct regular user awareness training focused on spear-phishing and social engineering tactics involving deceptive shortcuts or ISO images. 8. Employ multi-factor authentication and least privilege principles to limit the impact of potential beacon communications and lateral movement. 9. Establish robust incident response plans that include forensic capabilities to analyze sophisticated loaders and evasive malware. 10. Consider deploying deception technologies to detect and trap such advanced loaders early in the attack chain.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://dmpdump.github.io/posts/CobaltStrike_HK/"]
- Adversary
- SLOW#TEMPEST
- Pulse Id
- 689481454699dbb15f211f88
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash99e99750335c38ca614b390cd4cde0c8 | — | |
hashaf1e45058dca830b095da6dd8c15b116 | — | |
hashf3239582a1a0caf0ab72b13826b250babffbf72e | — | |
hash1cb0560f614cc850422171ffe6b0b9f6b9ceaec4fe3516bc8493f253076470ab | — | |
hash28030e8cf4c9c39665a0552e82da86781b00f099e240db83f1d1a3ae0e990ab6 | — | |
hash50fbe429848e16f08a6dbf6ce6d5bbff44db1e009f560e8b8c4cde6cff0a768b | — | |
hash5efbd54a3a51d96fbc8e65815df2f0d95af21a34b99b8dc9a38590fb6d2094f8 | — | |
hash6573136f9b804ddc637f6be3a4536ed0013da7a5592b2f3a3cd37c0c71926365 | — | |
hasha41c06ad948f3a21496e4d1f6b622ca84a365dd2087b710ed3e7f057e7a2a3f8 | — | |
hashc28bd1a57e80861fce2597b1f5155a687bef434b0001632c8a53243718f5f287 | — | |
hashf4bb263eb03240c1d779a00e1e39d3374c93d909d358691ca5386387d06be472 | — |
Domain
Value | Description | Copy |
---|---|---|
domainm.123huodong.com.cloud.cdntip.com.s2-web.dogedns.com | — |
Threat ID: 68948452ad5a09ad00f926e2
Added to database: 8/7/2025, 10:47:46 AM
Last enriched: 8/7/2025, 11:02:51 AM
Last updated: 8/15/2025, 12:54:25 AM
Views: 12
Related Threats
'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumKawabunga, Dude, You've Been Ransomed!
MediumERMAC V3.0 Banking Trojan: Full Source Code Leak and Infrastructure Analysis
MediumThreat Bulletin: Fire in the Woods – A New Variant of FireWood
MediumThis 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.