Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The article examines a malware variant associated with the SLOW#TEMPEST campaign, focusing on advanced obfuscation techniques used by the threat actors. The malware is distributed as an ISO file containing multiple files, including two malicious ones. The loader DLL, zlibwapi.dll, decrypts and executes the embedded payload, which is appended to another DLL. The analysis reveals sophisticated anti-analysis techniques, including Control Flow Graph (CFG) obfuscation using dynamic jumps and obfuscated function calls. The researchers demonstrate methods to counter these techniques using emulation and code patching. The loader DLL also employs an anti-sandbox check, only executing its payload if the target machine has at least 6 GB of RAM. The study highlights the importance of combining advanced dynamic analysis with static analysis to effectively understand and mitigate modern malware threats.

The SLOW#TEMPEST campaign involves a sophisticated malware variant distributed as an ISO file containing multiple files, including two malicious components. Central to the infection chain is a loader DLL named zlibwapi.dll, which performs decryption and execution of an embedded payload appended to another DLL. This malware employs advanced obfuscation and anti-analysis techniques to evade detection and hinder reverse engineering efforts. Notably, it uses Control Flow Graph (CFG) obfuscation through dynamic jumps and obfuscated function calls, complicating static analysis. Additionally, the loader implements anti-sandbox measures by verifying that the target system has at least 6 GB of RAM before executing the payload, thereby avoiding execution in many virtualized or sandboxed environments. Researchers have demonstrated that overcoming these obfuscation tactics requires a combination of dynamic analysis methods such as emulation and code patching alongside traditional static analysis. The malware also leverages DLL sideloading techniques (T1553.002) to execute malicious code under the guise of legitimate DLLs, and employs process injection (T1055) and code obfuscation (T1027) to maintain stealth. While no known exploits are reported in the wild, the campaign's complexity and use of multiple evasion strategies indicate a highly targeted and persistent threat actor. The analysis underscores the importance of advanced detection capabilities and layered analysis approaches to effectively identify and mitigate such threats.

Detailed information about Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques. Get real-time updates, technical details, and mitigat

Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques - Live Threat Intelligence - Threat Radar | OffSeq.com

Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and BypassBoss for privilege escalation. Earth Lamia's targets have shifted over time, initially focusing on financial services, then logistics and online retail, and recently IT companies, universities, and government organizations. The group employs various techniques including DLL sideloading, use of legitimate binaries, and development of modular backdoors. Earth Lamia's activities have been linked to other reported campaigns, suggesting a complex and evolving threat landscape.

Earth Lamia is an advanced persistent threat (APT) actor active since 2023, primarily targeting organizations across Brazil, India, and Southeast Asia. The group exploits web application vulnerabilities, with a notable emphasis on SQL injection attacks, to gain initial access to targeted systems. Their arsenal includes custom-developed malware such as the PULSEPACK backdoor and BypassBoss, which facilitate persistent access and privilege escalation respectively. Earth Lamia employs sophisticated techniques including DLL sideloading, leveraging legitimate binaries to evade detection, and modular backdoor architectures that allow flexible and adaptive operations. Their targeting has evolved over time, initially focusing on financial services, then expanding to logistics and online retail sectors, and more recently shifting towards IT companies, universities, and government organizations. The group’s tactics, techniques, and procedures (TTPs) align with multiple MITRE ATT&CK techniques such as T1053.005 (Scheduled Task/Job), T1592 (Gather Victim Host Information), T1587.001 (Develop Capabilities), T1140 (Deobfuscate/Decode Files or Information), and T1190 (Exploit Public-Facing Application), among others. Despite the lack of confirmed exploits in the wild for some referenced CVEs, the presence of multiple CVEs (including CVE-2017-9805 and several 2024-2025 vulnerabilities) suggests a broad exploitation scope. The group’s linkage to other campaigns and use of tools like Cobalt Strike and Brute Ratel further indicate a complex and evolving threat landscape with significant operational capabilities. The threat actor’s Chinese nexus and multi-industry targeting underscore a strategic intent to infiltrate diverse sectors for espionage or disruption purposes.

Detailed information about Custom Arsenal Developed to Target Multiple Industries. Get real-time updates, technical details, and mitigation strategies.

Custom Arsenal Developed to Target Multiple Industries - Live Threat Intelligence - Threat Radar | OffSeq.com

Custom Arsenal Developed to Target Multiple Industries

A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads. The threat actor employs various evasion techniques including API hashing, direct syscalls, DLL sideloading, and self-deletion. Google Drive is abused as a command-and-control server. While attribution remains uncertain, similarities with Winnti, Lazarus, and APT10 techniques have been observed. The campaign has been active since December 2024 and is expected to continue with new implants targeting additional applications.

The Swan Vector campaign is a sophisticated Advanced Persistent Threat (APT) operation targeting educational institutions and mechanical engineering sectors primarily in Taiwan and Japan. The attack employs a multi-stage infection chain beginning with malicious LNK (Windows shortcut) files that serve as the initial infection vector. Upon execution, these LNK files trigger the loading of DLL implants named Pterois and Isurus. These implants leverage advanced evasion techniques such as API hashing, which obfuscates API calls to avoid detection by security tools; direct syscalls, which bypass user-mode hooks; DLL sideloading, where malicious DLLs are loaded by legitimate applications to evade detection; and self-deletion to remove traces post-execution. The implants facilitate the deployment of Cobalt Strike payloads, a well-known post-exploitation framework used for lateral movement, persistence, and command and control (C2). Notably, the threat actor abuses Google Drive as a C2 server, leveraging a trusted cloud service to evade network-based detection and filtering. Although attribution is uncertain, the tactics, techniques, and procedures (TTPs) share similarities with known APT groups such as Winnti, Lazarus, and APT10, indicating a high level of sophistication and potential state-sponsored backing. Active since December 2024, the campaign is expected to evolve with new implants targeting additional applications, suggesting ongoing and adaptive threat activity.

Detailed information about Targeting Taiwan & Japan with DLL Implants. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'dll sideloading'

Filter Threats

Threats Tagged 'dll sideloading'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility