{
	"id": "06fc1d29-a9ab-490b-a282-6b3e84e7c88a",
	"created_at": "2026-04-06T00:08:41.862264Z",
	"updated_at": "2026-04-10T03:24:24.723637Z",
	"deleted_at": null,
	"sha1_hash": "a7a39a87ef436ae05d6532287ad836c9dc65aeba",
	"title": "Cyble - Targeted Attacks Being Carried Out Via DLL SideLoading",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1093069,
	"plain_text": "Cyble - Targeted Attacks Being Carried Out Via DLL SideLoading\r\nPublished: 2022-07-27 · Archived: 2026-04-05 13:57:36 UTC\r\nCyble Analyzes how Threat Actors are leveraging Microsoft applications and DLL Sideloading to deliver Cobalt\r\nStrike Beacons\r\nThreat Actors Leveraging Microsoft Applications to Deliver Cobalt-Strike Beacons\r\nDLL (Dynamic-Link Library) sideloading is a technique used by Threat Actors to infect users using legitimate\r\napplications which load malicious DLL files that spoof legitimate ones. Recently Cyble Research Labs published a\r\nblog about Qakbot malware that leverages a calculator to perform DLL Sideloading.\r\nSimilarly, we came across a Twitter post wherein researchers mentioned a document file that performs DLL\r\nSideloading using Microsoft applications such as “Teams.exe” and “OneDrive.exe.” The dropped DLL contains\r\nthe C\u0026C URL through which the malware can deliver a Cobalt-Strike beacon.\r\nWorld's Best AI-Native Threat Intelligence\r\nCobalt Strike is a penetration testing product that allows Threat Actors (TAs) to deploy an agent named ‘Beacon’\r\non the victim machine. The Beacon provides various functionalities to TAs, including command execution, key\r\nlogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement.\r\nSeveral TAs are actively using this tool, from ransomware operators to espionage-focused Advanced Persistent\r\nThreats (APTs).\r\nUpon analyzing the malicious doc file, we observed that it was targeting a company located in Italy that provides\r\nservices such as Credit Servicing, Fund and Asset Management, and Real Estate services. The below figure shows\r\nthe malicious document file content.\r\nhttps://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\r\nPage 1 of 7\n\nFigure 1 – Document with Macro Content\r\nTechnical Analysis\r\nWhen opening the malicious document, it shows a security warning stating that macros have been disabled. The\r\nmalware then requests the user to enable the content. Once enabled, the malicious document runs the macro code\r\nautomatically in the background using the AutoOpen() function.\r\nFigure 2 – AutoOpen() function in Macro\r\nThe malware then calls the function process(), which identifies the path of the OneDrive and Teams applications.\r\nThe below figure shows the VBA macro code with the base64 decoded path of the OneDrive and Teams\r\napplications.\r\nhttps://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\r\nPage 2 of 7\n\nFigure 3 – Path identification to Drop DLL file\r\nIn the event that any of the application’s paths are identified by the malicious document, the malware drops a DLL\r\nfile in that path with the name cache-XJDNSJWPFHD.tmp and renames it as iphlpapi.dll by calling the\r\nEnableContent() function as shown below.\r\nFigure 4 – Drops DLL File\r\nThe document file contains an embedded DLL file in reversed Base64 encoded format. The malware then calls the\r\nGetParagraph() function, which gets the Base64 encoded strings and performs the StrReverse and Base64Decode\r\noperations to drop the malicious DLL file in the location where the OneDrive and Team applications are present.\r\nhttps://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\r\nPage 3 of 7\n\nFigure 5 – StrReverse and Base64Decode Operations to get DLL\r\nThe below figure shows the malicious DLL file dropped in the Teams and OneDrive locations.\r\nFigure 6 – Dropped DLL Files Present in MS App Installation Folders\r\nUpon execution of the Teams application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded, as shown\r\nbelow.\r\nFigure 7 – DLL Sideloading in Microsoft Teams App\r\nPayload Analysis\r\nThe below figure shows the code of sideloaded DLL malware, which creates a mutex with the name\r\n“MSTeams.Synchronization.Primitive.2.0″ to avoid running another instance on the same machine. The malware\r\nhttps://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\r\nPage 4 of 7\n\nthen communicates to the C\u0026C server using the below URL: d2xiq5m2a8wmm4.cloudfront[.]net/communications.\r\nFigure 8 – Creates Mutex and Connects to C\u0026C server\r\nWhile monitoring the malware’s traffic, we observed the C\u0026C communication with the same URL mentioned\r\nabove.\r\nFigure 9 – Traffic Interception\r\nAfter analysing the C\u0026C URL: d2xiq5m2a8wmm4.cloudfront[.]net/communications, we concluded that it\r\nexecutes a Cobalt-Strike on the victim’s machine.\r\nThe Cobalt-Strike Beacon can be used for malicious activities such as downloading additional payloads, lateral\r\nmovement, etc.\r\nConclusion\r\nTAs are adopting various sophisticated techniques to deploy malware. In this particular case, we observed how\r\nTAs are using Microsoft apps such as Teams and OneDrive to sideload a malicious library file that can deploy the\r\nCobalt Strike Beacon.\r\nCyble Research Labs continuously monitors all new and existing malware to keep our readers aware and informed.\r\nhttps://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\r\nPage 5 of 7\n\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nAvoid downloading files from unknown websites.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links, email attachments, or unknown document files without verifying\r\ntheir authenticity.\r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nEnable Data Loss Prevention (DLP) Solution on the employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution   T1204  User Execution \r\nDefense Evasion\r\nT1140\r\nT1574  \r\nT1564\r\nDeobfuscate/Decode Files or Information\r\nHijack Execution Flow: DLL Side-Loading\r\nHide Artifacts: VBA Stomping\r\nCommand and Control  T1071 Application Layer Protocol \r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n697ac31e2336c340e46ae8a777f51cdb\r\n91bd5585383685b82af8e801ce8f43586a797f49\r\n92e7395073c6588e1d8172148525144189c3d92ed052a163b8f7fad231e7864c\r\nMD5\r\nSHA-1\r\nSHA-256\r\nMalicious\r\nDoc\r\n6e1e6194dd00f88638d03db3f74bb48a\r\nd4a3050246d30a26671d05b90ffa17de39d5e842\r\nee56e43ed64e90d41ea22435baf89e97e9238d8e670fc7ed3a2971b41ce9ffaf\r\nMD5\r\nSHA-1\r\nSHA-256\r\nSideloaded\r\nDLL\r\nd2xiq5m2a8wmm4.cloudfront.net URL\r\nCobalt-Strike C\u0026C\r\nURL\r\nhxxps://laureati-prelios.azureedge[.]net/forms/Modulo_Testimone_Universitario_v3.doc\r\nURL\r\n Download\r\nURL\r\nhttps://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\r\nPage 6 of 7\n\nSource: https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\r\nhttps://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/"
	],
	"report_names": [
		"targeted-attacks-being-carried-out-via-dll-sideloading"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434121,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7a39a87ef436ae05d6532287ad836c9dc65aeba.pdf",
		"text": "https://archive.orkl.eu/a7a39a87ef436ae05d6532287ad836c9dc65aeba.txt",
		"img": "https://archive.orkl.eu/a7a39a87ef436ae05d6532287ad836c9dc65aeba.jpg"
	}
}