Lazarus Group Attacks with DreamLoader Malware, Leveraging DLL Sideloading and Microsoft Graph API for Stealth C2
Ddos 
Security researchers at Lab52 have uncovered a new campaign by the Lazarus Group, in which threat actors masquerade as recruiters to deliver a new malware family dubbed DreamLoader. The operation, analyzed in the report continues the North Korean APT’s long-standing social-engineering tradition of targeting professionals with fake job offers.
According to the researchers, “one of the most notable aspects of this campaign is the use of various types of loaders — components capable of deploying different payloads depending on the actors’ needs.”
These components, internally referred to as DreamLoaders, represent an evolution of Lazarus’s earlier DreamJob techniques. While previous campaigns focused on delivering a single backdoor or implant, DreamLoaders act as modular deployment frameworks, providing the attackers with flexibility and persistence across systems.
The report describes multiple loader variants used in the campaign, including Tnsviewer.exe, Webservices.dll, radcui.dll, and TSVIPSrv.dll, each contributing to a layered infection process.
Lab52 highlights that “two deployment methods were observed, one of them involving the use of legitimate system executables to load the various loaders through DLL sideloading.” This abuse of Windows binaries allows the attackers to blend their malicious activity within normal system operations, drastically reducing detection likelihood.
Among the artifacts analyzed, Tnsviewer.exe — a trojanized version of the legitimate TightVNC client — stands out. Distributed via password-protected ZIP archives, it arrives alongside a README.txt containing deceptive connection instructions for administrators. Once executed, the binary “creates registry keys used by TightVNC and triggers the malware’s operation,” ultimately deploying secondary payloads mimicking the behavior of the HideFirstLetter.dll loader.
Two other components, Webservices.dll and radcui.dll, were found on compromised user systems and executed through DLL sideloading using legitimate wkspbroker.exe and wksprt.exe binaries. Each DLL contains Base64-encoded, encrypted payloads that decrypt into HideFirstLetter.dll, which performs credential theft and reconnaissance.
Lab52 notes that “HideFirstLetter.dll attempts to authenticate to the tenant using the legitimate Microsoft URL https://login.microsoftonline.com/common/oauth2/v2.0/token, leveraging an access token embedded in the binary.” The malware then “sends a request to the Microsoft Graph API to retrieve the URL of the compromised SharePoint server,” effectively using Microsoft’s legitimate infrastructure for command-and-control communications.
Perhaps the most technically intriguing component is TSVIPSrv.dll, a loader executed as a malicious service named sessionenv. It relies on additional files — wordpad.dll.mui and msinfo32.dll.mui — which store encrypted payloads.
The analysis reveals that “TSVIPSrv.dll decrypts the file wordpad.dll.mui, which in turn is another DLL very similar to TSVIPSrv.dll.” This recursive architecture allows the malware to chain multiple decryption and loading steps, complicating both static and dynamic analysis.
Lab52 emphasizes the modular flexibility of this system: “TSVIPSrv.dll can be used to load different modular payloads, since the content is independent and stored in other files (.mui files).” The presence of identical payloads on separate machines, the researchers add, “implies that the same payload was deployed on both machines.”
The evidence aligns closely with Lazarus Group’s previous tradecraft, including DLL sideloading, legitimate software trojanization, and the use of Microsoft infrastructure for stealthy communications.
Lab52 connects these findings to previously documented Lazarus tools such as HideFirstLetter.dll and radcui.dll, recently highlighted by ESET in its report “Gotta fly: Lazarus targets the UAV sector.”
As the researchers summarize, “the investigation into Lazarus group’s DreamJobs campaign reveals a sophisticated and modular malware deployment strategy, leveraging legitimate system binaries and encrypted payloads to evade detection.”
Donate