DLL Side-Loading in c-ares Library Used to Deploy Commodity Malware

Security researchers have identified an active malware campaign that exploits a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library. This technique allows attackers to bypass security controls and deploy a wide range of commodity malware, including stealers and remote access trojans.

The Attack Mechanism

The campaign centers on the ahost.exe executable, which is legitimately signed by GitKraken and distributed as part of the GitKraken Desktop application. Attackers are pairing this signed binary with a malicious version of libcares-2.dll in the same directory. Because ahost.exe is susceptible to search order hijacking, it loads the malicious DLL instead of the legitimate one, granting attackers code execution capabilities.

Trellix, who disclosed the findings, explains: "Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code. This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses."

The malicious DLL executes code that then deploys various malware families. The campaign has been observed distributing:

• Information stealers: Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer
• Remote Access Trojans: Remcos RAT, Quasar RAT, DCRat, XWorm

Targeting and Distribution

The attackers are targeting employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors, including oil and gas and import/export businesses. The lures are written in multiple languages—Arabic, Spanish, Portuguese, Farsi, and English—suggesting the attacks are regionally focused.

The campaign uses invoice and request for quote (RFQ) themes to trick users into opening malicious executables. Analysis of artifacts on VirusTotal reveals the malware is distributed under dozens of names, including:

• RFQ_NO_04958_LG2049 pdf.exe
• PO-069709-MQ02959-Order-S103509.exe
• 23RDJANUARY OVERDUE.INV.PDF.exe
• sales contract po-00423-025_pdf.exe
• Fatura da DHL.exe

Why This Matters

This campaign highlights a growing trend of attackers abusing trusted, signed software to evade detection. By leveraging legitimate binaries like GitKraken's ahost.exe, threat actors can bypass signature-based defenses that would otherwise flag unsigned or suspicious executables.

The technique is particularly effective because:

1. Trust exploitation: The binary is legitimately signed and trusted by security software
2. Search order hijacking: Windows loads DLLs from the current directory before checking system paths
3. Evasion: Traditional security tools may not inspect the behavior of signed, trusted applications

Defensive Recommendations

Organizations should implement several controls to mitigate this threat:

• Monitor DLL loading behavior: Use endpoint detection tools to flag unusual DLL loading patterns, especially from signed executables
• Verify file integrity: Check that ahost.exe and libcares-2.dll are in their expected locations and haven't been modified
• User training: Educate finance and procurement staff about invoice/RFQ phishing attempts
• Application whitelisting: Restrict execution of binaries from user-writable directories
• Network monitoring: Watch for outbound connections from ahost.exe processes

Related Phishing Campaigns

Trellix also reported a surge in Facebook phishing scams using the Browser-in-the-Browser (BitB) technique. This method creates a fake pop-up within the victim's browser window using an iframe, making it nearly impossible to distinguish from a legitimate login page.

The attack starts with phishing emails disguised as legal notices about copyright infringement, which direct victims to fake Meta CAPTCHA prompts. These then display BitB pop-ups that harvest credentials. The campaign has been ongoing since July 2025 and uses legitimate cloud hosting services like Netlify and Vercel to bypass security filters.

Additional Campaign: AsyncRAT via TryCloudflare

A separate multi-stage phishing campaign exploits Python payloads and TryCloudflare tunnels to distribute AsyncRAT via Dropbox links. The attack uses living-off-the-land techniques, employing Windows Script Host, PowerShell, and Cloudflare's free-tier infrastructure to host WebDAV servers.

The payload chain includes:

1. Windows Script Host file downloads additional scripts from WebDAV
2. Batch files install Python environment and establish persistence
3. AsyncRAT shellcode injects into explorer.exe process
4. Decoy PDF displays to distract the victim

This campaign demonstrates how attackers increasingly abuse legitimate services and open-source tools to evade detection while establishing persistent remote access.

Key Takeaways

1. Trust is a vulnerability: Signed, legitimate software can be weaponized through DLL side-loading
2. Multi-stage attacks: Attackers combine multiple evasion techniques (DLL side-loading, legitimate cloud services, living-off-the-land)
3. Regional targeting: Language-specific lures indicate focused geographic campaigns
4. Invoice phishing remains effective: Finance and procurement staff are prime targets for social engineering

Organizations should review their endpoint security configurations to ensure they can detect DLL side-loading attempts and monitor for unusual behavior from trusted applications.