Skip to main content

SLOW#TEMPEST Cobalt Strike Loader

Medium
Published: Thu Aug 07 2025 (08/07/2025, 10:34:45 UTC)
Source: AlienVault OTX General

Description

An ISO image containing a malicious Cobalt Strike loader was discovered, targeting Chinese-speaking users. The infection chain involves a deceptive LNK file, which executes a legitimate Alibaba executable to sideload a malicious DLL. The loader implements anti-analysis techniques, decrypts an embedded payload, and injects a Cobalt Strike beacon. The beacon is configured to mimic Bilibili traffic and communicates with a specific C2 server. The loader also patches the entry point of the loading executable with an infinite loop. This activity shares similarities with previously reported SLOW#TEMPEST campaigns, including targeting, folder structures, and the use of DLL sideloading for Cobalt Strike beacons.

AI-Powered Analysis

AILast updated: 08/07/2025, 11:02:51 UTC

Technical Analysis

The SLOW#TEMPEST Cobalt Strike Loader is a sophisticated malware threat delivered via an ISO image targeting primarily Chinese-speaking users. The infection chain begins with a deceptive LNK (Windows shortcut) file that, when executed, runs a legitimate Alibaba executable. This legitimate executable is then exploited to sideload a malicious DLL, a technique that abuses the trust in signed or known binaries to load malicious code without raising immediate suspicion. The loader employs multiple anti-analysis techniques to evade detection and reverse engineering efforts. It decrypts an embedded payload in memory and injects a Cobalt Strike beacon, a well-known post-exploitation tool used by threat actors for command and control (C2) communications and lateral movement within compromised networks. Notably, the beacon is configured to mimic traffic patterns of Bilibili, a popular Chinese video streaming platform, likely to blend in with normal network traffic and evade network-based detection. Additionally, the loader patches the entry point of the loading executable with an infinite loop, effectively stalling the legitimate process to avoid raising suspicion or crashing. This campaign shares characteristics with previous SLOW#TEMPEST activities, including targeting profiles, folder structures, and the use of DLL sideloading to deploy Cobalt Strike beacons. The malware leverages multiple MITRE ATT&CK techniques such as T1218.011 (signed binary proxy execution), T1204.002 (user execution via LNK files), T1573.001 (encrypted channel), T1497.001 and T1497.003 (anti-debugging and anti-analysis), T1553.002 (DLL side-loading), T1140 (deobfuscate/decode files or information), T1055 (process injection), and others, indicating a highly evasive and persistent threat actor. Indicators of compromise include multiple file hashes and a suspicious domain used for C2 communications. While no known exploits in the wild have been reported, the complexity and stealth of this loader make it a significant threat to targeted environments.

Potential Impact

For European organizations, the direct targeting of Chinese-speaking users suggests a lower immediate risk; however, the techniques employed by this loader—such as DLL sideloading, process injection, and traffic masquerading—are broadly applicable and could be adapted to target European entities, especially those with business ties to China or Chinese-speaking employees. If deployed in Europe, this malware could lead to unauthorized access, data exfiltration, lateral movement, and persistent footholds within networks. The use of legitimate Alibaba executables for sideloading could bypass traditional signature-based detection, increasing the risk of successful compromise. The mimicry of Bilibili traffic could evade network monitoring tools, complicating incident detection and response. The infinite loop patching could cause denial of service or system instability. European organizations involved in technology, manufacturing, finance, or those with geopolitical relevance may be at increased risk if threat actors expand targeting. Additionally, the presence of anti-analysis techniques complicates forensic investigations and remediation efforts. The medium severity rating reflects the current targeted nature and lack of widespread exploitation but does not diminish the potential impact if adapted or expanded.

Mitigation Recommendations

1. Implement strict controls and monitoring around the execution of LNK files, especially those received via email or external sources, including disabling or restricting the use of LNK files where possible. 2. Employ application whitelisting and restrict execution of unauthorized or unexpected binaries, particularly focusing on Alibaba executables or other known sideloading targets. 3. Monitor for DLL sideloading activities by auditing DLL loads of critical executables and using endpoint detection and response (EDR) solutions capable of detecting anomalous DLL injection or process hollowing. 4. Analyze network traffic for anomalies, including unusual patterns mimicking Bilibili or other streaming services, and implement network segmentation to limit lateral movement. 5. Use behavioral detection tools that can identify anti-analysis techniques and infinite loop patches in executables. 6. Maintain up-to-date threat intelligence feeds to detect indicators of compromise such as the provided hashes and suspicious domains. 7. Conduct regular user awareness training focused on spear-phishing and social engineering tactics involving deceptive shortcuts or ISO images. 8. Employ multi-factor authentication and least privilege principles to limit the impact of potential beacon communications and lateral movement. 9. Establish robust incident response plans that include forensic capabilities to analyze sophisticated loaders and evasive malware. 10. Consider deploying deception technologies to detect and trap such advanced loaders early in the attack chain.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://dmpdump.github.io/posts/CobaltStrike_HK/"]
Adversary
SLOW#TEMPEST
Pulse Id
689481454699dbb15f211f88
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash99e99750335c38ca614b390cd4cde0c8
hashaf1e45058dca830b095da6dd8c15b116
hashf3239582a1a0caf0ab72b13826b250babffbf72e
hash1cb0560f614cc850422171ffe6b0b9f6b9ceaec4fe3516bc8493f253076470ab
hash28030e8cf4c9c39665a0552e82da86781b00f099e240db83f1d1a3ae0e990ab6
hash50fbe429848e16f08a6dbf6ce6d5bbff44db1e009f560e8b8c4cde6cff0a768b
hash5efbd54a3a51d96fbc8e65815df2f0d95af21a34b99b8dc9a38590fb6d2094f8
hash6573136f9b804ddc637f6be3a4536ed0013da7a5592b2f3a3cd37c0c71926365
hasha41c06ad948f3a21496e4d1f6b622ca84a365dd2087b710ed3e7f057e7a2a3f8
hashc28bd1a57e80861fce2597b1f5155a687bef434b0001632c8a53243718f5f287
hashf4bb263eb03240c1d779a00e1e39d3374c93d909d358691ca5386387d06be472

Domain

ValueDescriptionCopy
domainm.123huodong.com.cloud.cdntip.com.s2-web.dogedns.com

Threat ID: 68948452ad5a09ad00f926e2

Added to database: 8/7/2025, 10:47:46 AM

Last enriched: 8/7/2025, 11:02:51 AM

Last updated: 8/15/2025, 2:11:33 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats