Researchers have uncovered an active malware campaign that exploits a DLL side-loading vulnerability within the open-source c-ares library. By utilizing a malicious libcares-2.dll alongside a signed ahost.exe binary from GitKraken, threat actors are effectively bypassing traditional signature-based security defenses. This technique has been used to distribute a wide array of commodity malware, including Lumma Stealer, Agent Tesla, and various Remote Access Trojans (RATs) such as Remcos and Quasar.
Beyond side-loading, the report details advanced phishing methods like Browser-in-the-Browser (BitB) attacks designed to harvest Facebook credentials via legitimate cloud hosting platforms such as Netlify and Vercel. Furthermore, a multi-stage campaign was identified abusing Cloudflare infrastructure and Python-based payloads to deliver AsyncRAT. These findings underscore a growing sophistication in how attackers leverage trusted software and infrastructure to maintain persistence and evade detection.
Top comments (0)