Keypoints
- Attackers used .NET loaders (agentupdate_plugins.exe, AdventureQuest.exe) built on SharpUnhooker to fetch second-stage archives from Alibaba OSS buckets.
- Downloaded password-protected zip archives contained a legitimate executable vulnerable to DLL search-order hijacking, a malicious DLL (HUI Loader variant), and an encrypted agent.data payload implementing Cobalt Strike.
- Malicious DLLs masqueraded as legitimate libraries by exporting matching function names; invoked functions decrypted and executed code from agent.data to stage Cobalt Strike beacons.
- One loader binary was signed with a likely stolen PMG PTE LTD (Ivacy VPN) certificate (thumbprint 62E990CC0A26D58E…), indicating abuse of code signing for malware delivery.
- Loaders implemented IP-based geofencing via ifconfig.co to avoid certain countries, but geofencing was imperfect due to implementation errors.
- Cobalt Strike C2 used custom URIs (e.g., /rest/2/meetings, /owa/*), port 8443, and shared watermark 391144938; domains were hidden behind Cloudflare but initial SSL deployment revealed Alibaba-hosted IPs.
- HUI Loader variants observed match artifacts previously linked to China-nexus groups (BRONZE STARLIGHT, APT10, TA410), highlighting shared tooling and overlapping infrastructure.
MITRE Techniques
- [T1574.001] DLL Search Order Hijacking – Legitimate executables vulnerable to DLL hijacking were included in archives to sideload malicious libraries (‘The zip archives … consist of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL … and an encrypted data file named agent.data’).
- [T1036.005] Masquerading – Malicious DLLs impersonated legitimate components by exporting functions with the same names so the host executable would invoke them (‘The malicious DLLs masquerade as their legitimate counterparts: They export functions with the same names, such that specific functions … decrypt and execute code embedded in the data files’).
- [T1105] Ingress Tool Transfer – Loaders downloaded second-stage data (password-protected zip archives) from Alibaba OSS buckets for payload staging (‘…download second-stage data from Alibaba buckets hosted at agenfile.oss-ap-southeast-1.aliyuncs[.]com and codewavehub.oss-ap-southeast-1.aliyuncs[.]com’).
- [T1071.001] Application Layer Protocol: Web Protocols – Cobalt Strike beacons communicated over HTTP(S) using custom GET/POST URIs and port 8443 for C2 (‘Cobalt Strike C2 GET and POST URIs … contain /functionalStatus and /rest/2/meetings’ and URIs using ‘/owa’ strings on observed domains).
- [T1027] Obfuscated Files or Information – Payloads were stored encrypted in agent.data files and decrypted at runtime by the sideloaded DLLs (‘an encrypted data file named agent.data … The data files we could retrieve implement Cobalt Strike beacons’).
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – Loaders are based on SharpUnhooker and HUI Loader variants, tools used to evade or bypass defensive mechanisms and may disable security features (‘.NET executables based on the SharpUnhooker tool’ and ‘HUI Loader variants … may differ … such as establishing persistence and disabling security features’).
- [T1553] Subvert Trust Controls – Use of a stolen/abused code-signing certificate to sign malware, undermining trust controls (‘AdventureQuest.exe is signed using a certificate issued to the Ivacy VPN vendor PMG PTE LTD … It is likely that … the PMG PTE LTD signing key has been stolen’).
Indicators of Compromise
- [File Hash – SHA1] loader and DLL examples – 09f82b963129bbcc6d784308f0d39d8c6b09b293 (agentupdate_plugins.exe), 6e9592920cdce90a7c03155ef8b113911c20bb3a (AdventureQuest.exe), and 8 more hashes.
- [File Hash – SHA1] DLL and helper EXE examples – 88c353e12bd23437681c79f31310177fd476a846 (libcef.dll), 57bbc5fcfd97d25edb9cce7e3dc9180ee0df7111 (agentdata.dat).
- [Second-Stage URLs] Alibaba OSS hosting – https://agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp1/cefhelper.zip, https://agenfile.oss-ap-southeast-1.aliyuncs.com/agent_source/temp3/adobe_helper.zip (and other OSS URLs like codewavehub…/CodeVerse.zip).
- [C2 Domains] Cobalt Strike infrastructure – www.100helpchat[.]com, live100heip[.]com.
- [C2 IPs] Hosting IPs revealed on Alibaba Cloud – 8.218.31[.]103, 47.242.72[.]118 (and 47.242.159[.]242 referenced in the report).
- [Certificate] Code-signing certificate used to sign malware – PMG PTE LTD certificate thumbprint 62E990CC0A26D58E1A150617357010EE53186707 (serial 0E3E037C57A5447295669A3DB1A28B8A).
The technical chain begins with .NET loaders (agentupdate_plugins.exe, AdventureQuest.exe) built on SharpUnhooker that fetch password-protected zip archives from Alibaba OSS buckets. Each archive contains a legitimate, vulnerable executable (Adobe CEF Helper.exe, identity_helper.exe, mfeann.exe), a malicious DLL (libcef.dll, msedge_elf.dll, LockDown.dll) and an encrypted agent.data file; the legitimate executable is launched to trigger DLL sideloading.
The malicious DLLs are HUI Loader variants that impersonate legitimate libraries by exporting identical function names; invoked functions decrypt and execute the encrypted agent.data payload, which contains a Cobalt Strike beacon. Loaders perform IP-based geofencing via ifconfig.co to avoid specified countries (though geofencing implementation is flawed) and may include features to evade detection or disable security tools.
Cobalt Strike C2 uses web-based URIs (e.g., /rest/2/meetings, /owa/*) over port 8443 with a shared watermark (391144938); domains observed include www.100helpchat[.]com and live100heip[.]com, hidden behind Cloudflare but initially deployed on Alibaba-hosted IPs. One loader binary was code-signed with a likely-stolen PMG PTE LTD (Ivacy VPN) certificate, demonstrating abuse of code signing to increase malware credibility.
Read more: https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/