Ddos 
In a sophisticated campaign that spanned multiple regions and techniques, Sophos researchers uncovered a cluster of targeted attacks late in 2023 and into early 2024 that showcased the persistent ingenuity of modern threat actors. At the main of these attacks was Cobalt Strike, delivered via DLL sideloading, expired digital certificates, and stealthy abuse of native Windows components — all part of what Sophos calls a “remixing of components from other attack attempts.”
The initial detections emerged in China and Taiwan, but later telemetry surprisingly pointed to Sweden — suggesting either an expansion in targeting or a shift in regional priorities. In all cases, the attackers employed DLL sideloading, a technique that abuses legitimate software to load malicious code under the guise of trust.
“Initial Far East targeting shifted to Sweden,” the report confirms, underlining the campaign’s evolving scope.
A recurring element across multiple infection chains was the use of Minhook, a minimalistic API hooking library for Windows. The attackers used it to hook key Windows API functions such as GetProcAddress, FreeLibrary, VirtualAlloc, and Sleep, redirecting normal execution to their malicious payloads.
In one detailed example, the component SystemSettings.dll was sideloaded by SystemSettings.exe, eventually loading and unpacking two payloads — DscCoreR.mui and SyncRes.dat — and leveraging Minhook to stealthily hijack process behavior.
“The memory dump contains two compressed images; when unpacked, one is a Minhook DLL, the other is a Cobalt Strike beacon,” Sophos noted.
The sophistication of the attackers was further highlighted by their selective abuse of legitimate applications, such as Microsoft’s MiracastView.exe, and LetstalkApplication.exe from a Taiwan-based chat tool provider. These clean binaries acted as loaders for malicious DLLs named identically but injected with encrypted payloads.
In an unusual twist, one installer was even digitally signed using a certificate from Gala Lab Corp., a Korean game developer. Although expired, the certificate would appear valid on systems where the clock was manually backdated — a possible attempt to evade modern security checks.
“It appears that the threat actors somehow obtained a compromised digital signature for this company.”
Cobalt Strike payloads in this campaign communicated with a series of C2 servers, cleverly disguised under domains resembling legitimate services:
- note.googlestaic[.]com
- note.dnsrd[.]com
- prdelb.dubya[.]net
- bostik.cmsnet.se
These C2 beacons used deceptive URIs like /claim/data/jquery-3.3.1.min.aspx to camouflage outbound communication, mimicking benign JavaScript library paths.
Beyond the expected sideloading and encryption routines, attackers used resource embedding and zlib compression to tuck payloads into executable sections, bypassing superficial scans. Even more curiously, they sometimes harvested clean loader executables directly from the system, such as the legitimate SystemSettings.exe from %WINDOWS%\ImmersiveControlPanel, rather than packaging it with the malware.
“It is a rather unusual approach… usually threat actors like to make sure they deliver all components.”
While Sophos has not observed a continuation of this activity since early 2024, the multi-vector approach — combining sideloading, signature abuse, geographic targeting, and in-memory execution — reflects a threat actor in active experimentation.
“Taking a sustained look at an eye-catching cluster of events such as this… is always useful to see what might be learned from them.”
Organizations are urged to remain vigilant against sideloading attacks and to monitor behaviors that deviate from expected baselines, especially those involving unexpected DLL loads, hooked APIs, or network connections to suspicious endpoints.
Donate