Trusted Tool Turned Traitor: Signed ‘ahost.exe’ Weaponized to Sideload Malware
Ddos 
A routine utility often bundled with developer tools has been weaponized by cybercriminals to bypass security scanners and deliver a payload of devastating malware. The Trellix Advanced Research Center has uncovered an active campaign exploiting a DLL sideloading vulnerability in ahost.exe, a legitimate component of the open-source c-ares library used for DNS lookups.
The attack targets commercial and industrial sectors worldwide, tricking finance and supply chain employees into running what appears to be a trusted, digitally signed application.
The core of the attack is a technique known as DLL sideloading. Attackers take a legitimate, signed copy of ahost.exe—often one distributed with the popular GitKraken developer tool—and place it in a folder with a malicious file named libcares-2.dll.
Because the utility is designed to trust and load this specific DLL from its own directory, it unwittingly executes the malware. “This tactic is effective because it leverages the inherent trust users place in signed and legitimate applications, making detection more challenging,” the report explains.
To the operating system, it looks like a safe application is running. To the victim, it looks like a business document. Attackers frequently rename the executable to file names like order.exe, Faktura od DHL.exe, or 1DOC-PDF.exe to lure victims into clicking.
Once executed, the malware doesn’t just sit there. The campaign delivers a laundry list of commodity threats, including:
- Infostealers: AgentTesla, FormBook, Lumma Stealer, Vidar, and CryptBot.
- Remote Access Trojans (RATs): Remcos, QuasarRAT, DCRat, and XWorm.
In one analyzed instance involving DCRat, the malware launched Addinprocess32.exe and injected itself into that process to maintain persistence, allowing it to run stealthily even after the initial program closed.
The campaign is not limited by geography. Trellix identified localized filenames in Arabic, Spanish, Portuguese, Farsi, and English, indicating a “global and tailored approach”. Telemetry data shows the malicious file has been submitted to VirusTotal 190 times from 115 unique submitters, appearing everywhere from the United States to Egypt.
The use of trusted applications to hide malware poses a significant challenge for traditional antivirus solutions. “The exploitation of trusted applications poses significant risk to target organizations that lack advanced endpoint detection and response (EDR) or extended detection and response (XDR) solutions,” the researchers warn.
Related Posts:
- 34 tech firms signed “Cybersecurity Tech Accord” agreement that does’nt support government hacking operations
- Google Warns: Dependency Scanners Often Misreport Vulnerabilities
- Android Sideloading Crackdown: Google to Verify All Apps, But Promises Power-User Bypass
- The Escalating Threat of the EV Code Signing Certificate Black Market
- Google to Restrict Android Sideloading in New Security Push
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
