"Hackers Start Using Double DLL Sideloading To Evade Detection"

An Advanced Persistent Threat (APT) group known as Dragon Breath, Golden Eye Dog, or APT-Q-27 demonstrates a new trend of evading detection by using multiple complex variations of the classic DLL sideloading technique. These attacks begin with an initial vector that uses a clean application, such as Telegram, that sideloads a second-stage payload, which is sometimes also clean, and then sideloads a malicious malware loader DLL. Trojanized versions of Telegram, LetsVPN, and WhatsApp apps for Android, iOS, and Windows, supposedly localized for Chinese users, are used to lure victims. It is believed that BlackSEO or malvertising was used to promote the malicious apps. According to Sophos analysts who have observed the threat actor's recent attacks, Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines are the primary targets of this campaign. This article continues to discuss the use of double DLL sideloading by the Dragon Breath APT hacking group.

Bleeping Computer reports "Hackers Start Using Double DLL Sideloading To Evade Detection"