Stealthy SquidLoader Malware Targets Hong Kong Financial Firms with Evasive Cobalt Strike Attacks

Trellix’s threat intelligence team has uncovered a stealthy malware campaign aimed squarely at financial services institutions in Hong Kong. At the center of this offensive is SquidLoader — a heavily obfuscated loader designed to evade detection and deploy Cobalt Strike Beacons for persistent control.

“This sophisticated malware exhibits significant evasion capabilities, achieving near-zero detection rates on VirusTotal at the time of analysis,” Trellix stated in their executive summary.

The infection journey begins with a targeted spear-phishing email crafted in Mandarin, claiming to be a registration form for foreign exchange business. Attached is a password-protected RAR archive disguised as an invoice. Upon extraction, the user is deceived by a file mimicking AMDRSServ.exe, a legitimate Radeon settings host service.

Once executed, SquidLoader springs into action:

• It copies itself to c:\users\public\setup_xitgutx.exe.
• Establishes connection with a command and control (C2) server.
• Downloads and executes a Cobalt Strike beacon directly into memory.

This five-stage chain culminates in full remote access for the attacker — a nightmare for any enterprise security team.

“The malware hijacks the __scrt_common_main_seh function during its epilogue, diverting control to the malicious code before WinMain is ever reached,” the report notes.

From the moment of launch, SquidLoader exhibits early execution hijacking, immediately unpacking its encrypted payload using a custom XOR-based routine. Then, it resolves necessary APIs dynamically through PEB walking and initializes a custom stack structure to obscure its internal workings.

What sets SquidLoader apart is its advanced suite of anti-analysis, anti-sandbox, and anti-debugging techniques:

• Checks for sandbox usernames like “Abby” or “WALKER”
• Detects analysis tools like ida64.exe, x64dbg.exe, and fakenet.exe
• Terminates on discovery of antivirus processes like MsMpEng.exe or ZhuDongFangYu.exe
• Uses undocumented syscalls like NtQuerySystemInformation and NtIsProcessInJob to detect emulation
• Dynamically resolves and immediately overwrites strings and API names in memory

“If any of the blacklisted processes are found, SquidLoader terminates itself using a syscall to NtTerminateProcess,” the report warns.

Communication with C2 servers is deceptively masked using Kubernetes-themed URL paths, such as: https://39.107.156.136/api/v1/namespaces/kube-system/services.

The Cobalt Strike beacon then connects to a secondary IP — 182.92.239.24 — for ongoing control. While Hong Kong remains the primary target, indicators suggest broader regional activity, including Singapore and Australia.

In a move to bypass sandbox detection, after completing its checks, SquidLoader pops up a fake error message:

“The file is corrupted and cannot be opened.”

This forces user interaction, stalling automated malware analysis platforms that cannot dismiss GUI prompts.

From anti-debugging tricks to tailored phishing lures and Cobalt Strike payloads, the campaign demonstrates a polished and professional offensive operation.

“Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organizations,” the Trellix report concludes.

Related Posts:

• Cybersecurity Threats Skyrocket in Hong Kong: Fraud, Phishing, and Malware Take Center Stage
• Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site
• Vulnerable Microsoft SQL Server are being targeted by hackers
• HKCERT Warns Phishing Campaigns Targeting Users in Various Platforms on the Rise
• Cyberattackers Unleash LockBit Ransomware Using Cobalt Strike and Proxy Tools