In late 2023 and early 2024, a threat actor launched a Cobalt Strike-based campaign targeting systems in East Asia and Sweden using sideloading techniques involving Minhook DLL and compromised digital signatures. The attacks employed Windows legit components for stealth. (Affected: East Asia, Sweden, Windows endpoints)
Keypoints :
- The campaign began in China and Taiwan before shifting focus to Sweden.
- Attackers used DLL sideloading with clean Windows loaders and malicious DLLs.
- Minhook DLL was employed to hook Windows API functions for stealth and control.
- Cobalt Strike payload was the final malicious payload deployed in all attacks.
- Compromised but expired digital certificates from Gala Lab Corp were used to sign installers.
- Attackers did not package clean loaders but copied them from the infected systems.
- Multiple sideloading scenarios involved MiracastView, PrintDialog, and SystemSettings components.
- Command and Control communications connected to multiple domains linked to Cobalt Strike servers.
- The campaign involved complex unpacking and hooking mechanisms to execute payloads.
- The unusual geographic shift suggests a single threat actor experimenting with targeting and techniques.
MITRE Techniques :
- API Hooking (T1176) – Use of Minhook DLL to detour Windows API functions such as GetProcAddress and VirtualAlloc for payload control.
- Signed Binary Proxy Execution (T1218) – Using legitimate Windows executables (MiracastView.exe, SystemSettings.exe) to sideload malicious DLLs.
- Valid Accounts (T1078) – Using compromised digital certificates to sign malicious installers to appear legitimate.
- Command and Control (T1071) – Cobalt Strike beacons connected to remote C2 servers via HTTP/s POST requests.
- Supply Chain Compromise (T1195) – Leveraging legitimate Taiwan-based Letstalk Technology installer to distribute payload.
- Compressed Payload (T1002) – Using compressed resources (zlib inflate) inside payloads to hide malicious components.
- DLL Side-Loading (T1574.002) – Malicious DLLs loaded by legitimate clean loader executables to evade detection.
- Hooking Functions (T1215) – Hooked API functions to manipulate legitimate system processes for malicious execution.
Indicator of Compromise :
- Hashes of multiple malicious loaders and payload files (e.g., mirracastview.dll: 402be231f1c9258bb1510962b15c3ea5410e54f97e3269cd6cd4c355822798d1).
- Domains used for C2 servers such as note.googlestaic[.]com, prdelb.dubya[.]net, bostik.cmsnet.se.
- File paths indicating sideloading activity under %AppData%LocalMicrosoftWindows and %AppData%Roamingxwreg.
- Expired digital certificate from Gala Lab Corp used to sign malicious installer files.
- Network traffic showing HTTP POST requests to uncommon URIs (e.g., /claim/data/jquery-3.3.1.min.aspx) with Cobalt Strike beacon data.
Read more: https://news.sophos.com/en-us/2025/04/29/finding-minhook-in-a-sideloading-attack-and-sweden-too/
Views: 30