LockBit Ransomware Evolves: New Stealthy Tactics Use DLL Sideloading & Masquerading to Bypass Defenses • Daily CyberSecurity

LockBit isn’t just another ransomware group—it’s an evolving threat that continues to adapt its tactics to evade detection, infiltrate organizations, and maximize damage. According to a detailed report by Vishal Kamble from Symantec’s Security Technology and Response team, LockBit attackers are embracing stealth techniques like DLL sideloading and process masquerading to blend seamlessly into victim environments.

“Attackers deploying the LockBit ransomware have continually evolved their tactics, techniques, and procedures (TTPs) to evade detection and maximize its impact,” the report states.

DLL sideloading has emerged as one of LockBit’s favorite weapons. This method exploits the way legitimate applications load DLLs (Dynamic Link Libraries), allowing attackers to piggyback malicious payloads through trusted software.

“LockBit often bundles its malicious DLL with a legitimate, digitally signed application,” Kamble notes. When the application is launched, it unwittingly loads the malicious DLL, triggering the ransomware payload.

Some recent examples:

Jarsigner.exe + jli.dll (Java Platform)
MpCmdRun.exe + mpclient.dll (Windows Defender)
Clink_x86.exe + clink_dll_x86.dll (Clink terminal tool)

In each case, a trusted executable is paired with a malicious DLL. Encryption begins with zero red flags to users or endpoint security solutions.

LockBit also uses masquerading techniques to hide in plain sight. These tactics make malicious files indistinguishable from legitimate system components:

Renaming executables to mimic common Windows processes (e.g., svchost.exe, explorer.exe)
Spoofing process names via API manipulation or injection
Copying official icons from trusted applications
Deploying to system directories like C:\Windows\System32 or C:\ProgramData

“This makes it difficult for users or even some security tools to distinguish them from legitimate system processes,” the report highlights.

Kamble outlines a typical LockBit attack chain in several coordinated stages:

Initial Access
Attackers gain access using remote desktop tools like MeshAgent or TeamViewer. From there, they upload and execute malware directly on the system.
Privilege Escalation
Tools like NSSM (to run a RAT as a Windows service) and PsExec (to launch commands with SYSTEM privileges) are used for elevation. “NSSM created a service for the RAT, which it named edge.exe.exe,” the report notes, showing how attackers disguise their backdoors.
Discovery
Commands like net user, nltest, and query user are used to map domain groups and user roles.
Credential Theft
- TokenUtils is used to steal user tokens, including SYSTEM tokens.
- Sd1 steals Kerberos tickets for deeper domain persistence.
Lateral Movement
Group Policy Objects (GPOs) are used to drop and execute payloads across multiple machines, including EXE/DLL ransomware, scripts, and more.
Impact
The final phase involves file encryption using a PowerShell-based AES+RSA encryption chain. One obfuscated PowerShell function, named EFI(), encrypts all target files and appends a custom extension, .xlockxlock.

The FBI attributes LockBit to the Syrphid cybercrime group, which extorted up to $500 million since 2019. In 2024, a series of global operations led to the indictment of LockBit’s alleged leader, Dimitry Khoroshev (aka LockBitSupp).

Yet, the story didn’t end there.

“The builder for LockBit 3.0 was also subsequently leaked. This means the ransomware could now be deployed by any threat actor,” Kamble warns.

This leak has democratized LockBit’s capabilities, putting industrial-grade ransomware into the hands of script kiddies and nation-state hackers alike.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply