DLL sideloading
-
MuddyWater hackers targeted South Korean electronics maker in broad espionage campaign
MuddyWater targeted at least nine organizations in a cyberespionage campaign that included a major South Korean electronics maker, government agencies and an airport, according to Symantec. The group used DLL sideloading, PowerShell and other legitimate tools.
-
Google rolls out Android developer verification to all developers
Google is rolling out Android developer verification to all developers, with new identity checks for apps distributed outside Google Play. The move starts in four countries in September and expands globally next year.
-
LeakNet adopts ClickFix via compromised websites and runs Deno in memory
ReliaQuest’s technical report says LeakNet now uses ClickFix fake CAPTCHA pages on compromised sites to trick users and a Deno-based in-memory loader. Post-compromise steps include DLL side-loading, PsExec lateral movement and S3 exfiltration.
-
BlackSanta EDR killer used in year long campaign targeting HR departments
A Russian speaking actor ran a year long campaign against HR departments deploying BlackSanta, an EDR killer that disables endpoint protections, uses DLL sideloading and vulnerable drivers to gain kernel level access.
-
Microsoft warns OAuth redirect abuse used to deliver malware to government targets
Microsoft warned that phishing campaigns are abusing OAuth redirect features to deliver malware to government and public sector targets, using malicious OAuth apps, ZIP payloads, PowerShell and DLL sideloading. Organizations are advised to limit consent and review app permissions.
-
Microsoft warns of OAuth redirect abuse used to deliver malware to public sector
Microsoft warned that attackers are abusing OAuth redirect features to bypass phishing defenses and direct government and public sector users to attacker controlled domains that deliver malware or intercept credentials.
-
Mustang Panda deploys updated COOLCLIENT backdoor to steal endpoint data
An updated COOLCLIENT backdoor linked to Mustang Panda was used in 2025 to steal keystrokes, browser credentials and files from government endpoints across Myanmar, Mongolia, Malaysia and Russia, according to a technical analysis by Kaspersky.
-
Ransomware gangs use ‘Shanya’ packer-as-a-service to hide EDR-killing payloads
Security researchers say multiple ransomware groups are using the Shanya packer-as-a-service to deliver in-memory, EDR-disabling payloads that side-load DLLs and deploy kernel drivers to stop security software; Sophos published technical analysis and indicators of compromise.
-
SideWinder adopts ClickOnce-based infection chain in South Asia espionage campaign
Researchers say the SideWinder group used a new ClickOnce‑based infection chain alongside Word exploits in spear‑phishing waves from March to September 2025 to deliver ModuleInstaller and the StealerBot implant against diplomatic and government targets in South Asia.
-
Iranian-linked hackers expand European operations with fake job portals and new malware, researchers say
Security researchers say Iranian government-backed attackers are targeting Western Europe with fake job portals and new Minibike malware, including MiniJunk and MiniBrowse, delivered through a multi-stage DLL sideloading chain. The operation focuses on Denmark, Portugal, and Sweden and appears linked to broader Iran-aligned threat activity.
