The SLOW#TEMPEST Cobalt Strike Loader is a sophisticated malware threat delivered via an ISO image targeting primarily Chinese-speaking users. The infection chain begins with a deceptive LNK (Windows shortcut) file that, when executed, runs a legitimate Alibaba executable. This legitimate executable is then exploited to sideload a malicious DLL, a technique that abuses the trust in signed or known binaries to load malicious code without raising immediate suspicion. The loader employs multiple anti-analysis techniques to evade detection and reverse engineering efforts. It decrypts an embedded payload in memory and injects a Cobalt Strike beacon, a well-known post-exploitation tool used by threat actors for command and control (C2) communications and lateral movement within compromised networks. Notably, the beacon is configured to mimic traffic patterns of Bilibili, a popular Chinese video streaming platform, likely to blend in with normal network traffic and evade network-based detection. Additionally, the loader patches the entry point of the loading executable with an infinite loop, effectively stalling the legitimate process to avoid raising suspicion or crashing. This campaign shares characteristics with previous SLOW#TEMPEST activities, including targeting profiles, folder structures, and the use of DLL sideloading to deploy Cobalt Strike beacons. The malware leverages multiple MITRE ATT&CK techniques such as T1218.011 (signed binary proxy execution), T1204.002 (user execution via LNK files), T1573.001 (encrypted channel), T1497.001 and T1497.003 (anti-debugging and anti-analysis), T1553.002 (DLL side-loading), T1140 (deobfuscate/decode files or information), T1055 (process injection), and others, indicating a highly evasive and persistent threat actor. Indicators of compromise include multiple file hashes and a suspicious domain used for C2 communications. While no known exploits in the wild have been reported, the complexity and stealth of this loader make it a significant threat to targeted environments.

For European organizations, the direct targeting of Chinese-speaking users suggests a lower immediate risk; however, the techniques employed by this loader—such as DLL sideloading, process injection, and traffic masquerading—are broadly applicable and could be adapted to target European entities, especially those with business ties to China or Chinese-speaking employees. If deployed in Europe, this malware could lead to unauthorized access, data exfiltration, lateral movement, and persistent footholds within networks. The use of legitimate Alibaba executables for sideloading could bypass traditional signature-based detection, increasing the risk of successful compromise. The mimicry of Bilibili traffic could evade network monitoring tools, complicating incident detection and response. The infinite loop patching could cause denial of service or system instability. European organizations involved in technology, manufacturing, finance, or those with geopolitical relevance may be at increased risk if threat actors expand targeting. Additionally, the presence of anti-analysis techniques complicates forensic investigations and remediation efforts. The medium severity rating reflects the current targeted nature and lack of widespread exploitation but does not diminish the potential impact if adapted or expanded.

1. Implement strict controls and monitoring around the execution of LNK files, especially those received via email or external sources, including disabling or restricting the use of LNK files where possible. 2. Employ application whitelisting and restrict execution of unauthorized or unexpected binaries, particularly focusing on Alibaba executables or other known sideloading targets. 3. Monitor for DLL sideloading activities by auditing DLL loads of critical executables and using endpoint detection and response (EDR) solutions capable of detecting anomalous DLL injection or process hollowing. 4. Analyze network traffic for anomalies, including unusual patterns mimicking Bilibili or other streaming services, and implement network segmentation to limit lateral movement. 5. Use behavioral detection tools that can identify anti-analysis techniques and infinite loop patches in executables. 6. Maintain up-to-date threat intelligence feeds to detect indicators of compromise such as the provided hashes and suspicious domains. 7. Conduct regular user awareness training focused on spear-phishing and social engineering tactics involving deceptive shortcuts or ISO images. 8. Employ multi-factor authentication and least privilege principles to limit the impact of potential beacon communications and lateral movement. 9. Establish robust incident response plans that include forensic capabilities to analyze sophisticated loaders and evasive malware. 10. Consider deploying deception technologies to detect and trap such advanced loaders early in the attack chain.