Threats Tagged 'dll sideloading'

OnyxC2 emerged in early 2026 as a malware-as-a-service stealer sold on cybercrime networks for $250 monthly. The platform includes a web panel, payload builder, and tiered pricing structure with refund guarantees. Written in C++ with assembly for direct syscalls, it targets approximately 210 applications across nine categories: 45 browsers, 109 extensions including 2FA tools, 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, 5 email clients, and VPN/messaging applications. The stealer achieves 99% detection evasion through mutated builds and delivers via DLL sideloading using signed binaries. Higher tiers unlock remote access capabilities including HVNC, LSASS dumping, reverse SOCKS5 proxy, keylogging, and reverse shell. Distribution occurs through fake installers delivered as password-protected archives, with C2 communication over Cloudflare-fronted HTTPS to akmuniverstall.top.

A sophisticated cyber-espionage campaign attributed to China-linked actors targets officials and citizens in Czech Republic and Taiwan through spearphishing attacks. The operation deploys malicious ZIP archives containing dual infection paths that ultimately deliver AZUREVEIL, an Adaptix C2 agent. The campaign uniquely leverages Microsoft Azure Blob Storage as a dead-drop command-and-control channel, bypassing traditional C2 infrastructure. A multi-stage infection chain employs RUSTCLOAK, a Rust-based loader implementing triple-layer encryption using modified RC4, Base64, and SM4-CBC algorithms. The final payload supports 36 post-exploitation commands including Beacon Object File execution in memory, file system manipulation, process control, network pivoting, and data exfiltration. Lure documents impersonate official communications from Taiwanese research institutions and Czech Social Security Administration, demonstrating targeted social engineering tailored to each region.

MediumMalwareCzechiaTaiwan#china-linked#taiwan#dll sideloading

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.