{
	"id": "26ee1625-8e1e-4893-ab3a-6af640402a0a",
	"created_at": "2026-04-06T00:11:37.497274Z",
	"updated_at": "2026-04-10T13:12:47.86809Z",
	"deleted_at": null,
	"sha1_hash": "ec4d1236438c0c5ab211ffc599f6d72224f68a7e",
	"title": "Persistent Connection Established: Nitrogen Campaign Leverages DLL Side-Loading Technique for C2 Communication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5438534,
	"plain_text": "Persistent Connection Established: Nitrogen Campaign Leverages\r\nDLL Side-Loading Technique for C2 Communication\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 16:10:25 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn June 2023, we identified and effectively responded to security incidents involving multiple hosts associated\r\nwith Python-based post-exploitation. We named the campaign Nitrogen after the PDB path and the strings found\r\nin the malicious msi.dll employed during the initial infection.\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 1 of 11\n\nThe threat actor(s) established initial access via a drive-by download, wherein the victim downloaded an ISO\r\nimage from a compromised WordPress website.\r\nFigure 1: Compromised WordPress website hosting the malicious ISO image\r\nBelow is a description of the observed initial infection chain.\r\nThe process begins with the manual execution of the install file by the end user from within an ISO image.\r\nSubsequently, the installer proceeds to load the msi.dll file and decrypts the accompanying data file. A more\r\ncomprehensive analysis of this campaign will follow this blog.\r\nFigure 2: Contents of an ISO image\r\nFigure 3: Initial Infection Chain (SentinelOne console)\r\nThe malicious installer drops an embedded Python distribution as well as the malicious DLL that is used for\r\nsideloading (T1574.002) under the “C:\\Users\\Public\\Music\\python” path.\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 2 of 11\n\nFigure 4: Files dropped under C:\\Users\\Public\\Music\\python path.\r\nThe scheduled task,“OneDrive Security Task-S-1-5-21-5678566754-9123742832-2638705499-2003”, is created\r\nas a persistence mechanism to run the pythonw.exe binary. The task is set to trigger at system startup and expires\r\non 12/1/2029 at midnight.\r\nFigure 5: Scheduled Task creation (SentinelOne console)\r\nThe threat actor(s) have been observed employing the DLL sideloading technique to execute a malicious payload\r\nand establish a persistent connection with C2 servers. The screenshot below reveals the utilization of\r\npython310.dll as the DLL for sideloading.\r\nFigure 6: DLL sideloading\r\nWe found the code responsible for establishing a connection to a remote host, retrieving compressed and encoded\r\ndata, and executing it locally.\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 3 of 11\n\nFigure 7: Code responsible for establishing a remote connection with C2\r\nWe were able to extract the C2 from the malicious DLLs:\r\n166.0.94[.]216:8880\r\n45.61.128[.]133:1042\r\nThe threat actor(s) were able to run Bloodhound-py and LaZagne on patient zero via one of the malicious Python\r\nfiles (work2.py). During the investigation, our in-house Incident Response team retrieved a copy of the work2.py\r\nscript for further analysis.\r\nThe Python script contained the Pyramid module; Pyramid is a Python-based HTTP/HTTPS C2 server equipped\r\nwith the ability to distribute encrypted payloads. Additionally, Pyramid incorporates numerous modules to\r\nfacilitate the loading of offensive tools such as LaZagne, Bloodhound-py, secretsdumps, and more.\r\nThe snippet of the Pyramid module below makes an encrypted HTTP request to a server, providing authorization\r\ncredentials and executing the received response payload as code.\r\nFigure 8: Snippet of the Pyramid module\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 4 of 11\n\nAnother file that the attacker(s) utilized to drop a Cobalt Strike DLL was work7.py, which contained Python code\r\nwith a marshal module to execute a payload that has been marshaled or serialized.\r\nFigure 9: work7.py contents\r\nUpon disassembling the bytecode, we were able to retrieve the Cobalt Strike DLL that the attacker(s) ran on one\r\nof the hosts. You can find the Cobalt Strike beacon configuration at the end of this article.\r\nIt is important to note that within a span of 2 hours, the threat actor(s) engaged in lateral movement,\r\ndeploying several malicious Python files onto compromised hosts.\r\nOur Threat Response Unit (TRU) conducted further research and identified other samples involved in the\r\nNitrogen campaign, including the malicious DLLs used for sideloading. We were also able to extract additional\r\nC2s for the campaign that you can find in the Indicators of Compromise section.\r\nHow did we find it?\r\neSentire MDR for Endpoint identified Python-based post-exploitation activities.\r\nWhat did we do?\r\nOur Incident Handling Team responded to the threat and took containment actions, such as quarantining the\r\ninfected hosts.\r\nFurther infection was prevented by eSentire MDR for Endpoint.\r\nWhat can you learn from this TRU positive?\r\nThe threat actor(s) used DLL sideloading to execute the malicious payload. DLL side-loading attacks can\r\nhelp bypass security mechanisms and evade detection.\r\nBy abusing legitimate processes or loading DLLs from trusted locations, attackers can blend their\r\nmalicious activities with legitimate operations, making it harder for security solutions to identify the\r\nmalicious behavior.\r\nPyramid, a covert and stealthy tool, played a crucial role in facilitating post-exploitation activities\r\nconducted by the threat actor(s).\r\nThe Cobalt Strike payload was loaded and executed stealthily in memory within one of the Python\r\nprocesses, demonstrating an effective technique to evade EDR detections.\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 5 of 11\n\nRecommendations from our Threat Response Unit (TRU) Team:\r\nEncouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness\r\nTraining (PSAT) when downloading software from the Internet.\r\nProtect endpoints against malware by:\r\nEnsuring antivirus signatures are up-to-date.\r\nUsing a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and\r\ncontain threats.\r\neSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections\r\nenriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data\r\nand automate rapid response to advanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and\r\nput your business ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an\r\neSentire Security Specialist.\r\nIndicators of Compromise\r\nIndicator Note\r\nISO image e825667790caf1024ea2a6f907387f860ea431bca6d799f0e69d031483c42568\r\nISO image 5f3488fc958b98867ef661c6697b5c2cd920199f7209086591a5e87e691891f4\r\nISO image 9c57a2a27b6fcea5bcf1eda791ccdaa0eb3fdbf93781b37283d956332f4d2ceb\r\nISO image 2eb2ef7a562145a0faf3c82f439221908adfcc784022a64e5bb17a432f4a8a91\r\nISO image 9ae74c4247a7e8acdebfd87781c9ebb594e68a26b64ac84dbb1fbaebf4fc8058\r\npython310.dll 71ef00dd6c5e0446bab2ee2d030547a1841e5fdf5063902c206b6f4bf9ca9a11\r\npython310.dll ff32997b85098d2bb0f1adccc5dc4e608a869dd54fc8539482788855d53d43b7\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 6 of 11\n\npython310.dll e74c4cf311f2b3365605b6648d96baf5674990c3f181f01f462e1ba665bf1f7f\r\npython310.dll 8dfac6521ef877efede0a82bf46d94f590127e2607b78d08321953796fddbba9\r\npython310.dll 8859a09fdc94d7048289d2481ede4c98dc342c0a0629cbcef2b91af32d52acb5\r\npython310.dll fa911a3639ae77f8f890fb76ba1ab78c2ab17ab80bdfec381ab6a9ba8fef32fe\r\npython310.dll bacbe893b668a63490d2ad045a69b66c96dcacb500803c68a9de6cca944affef\r\npython310.dll 3ce4ed3c7bd97b84045bdcfc84d3772b4c3a29392a9a2eee9cc17d8a5e5403ce\r\npython310.dll 535aefaba2eb8d7898b176b0dcdd23fcef984994e609db222c33ece2d1c081b3\r\nC2 141.98.6[.]95:4418\r\nC2 104.234.147[.]74\r\nC2 141.98.6[.]95:8880\r\nC2 141.98.6[.]96:4419\r\nC2 141.98.6[.]96:8880\r\nC2 45.61.128[.]133:888\r\nC2 85.217.144[.]233:8443\r\nC2 166.0.94[.]216:8880\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 7 of 11\n\nC2 45.61.128[.]133:1042\r\nYara rule\r\n{\r\n \"BeaconType\": [\r\n \"HTTPS\"\r\n ],\r\n \"Port\": 8443,\r\n \"SleepTime\": 10000,\r\n \"MaxGetSize\": 2801745,\r\n \"Jitter\": 37,\r\n \"C2Server\": \"85.217.144[.]234,/jquery-3.3.1.min.js\",\r\n \"HttpPostUri\": \"/jquery-3.3.2.min.js\",\r\n \"Malleable_C2_Instructions\": [\r\n \"Remove 1522 bytes from the end\",\r\n \"Remove 84 bytes from the beginning\",\r\n \"Remove 3931 bytes from the beginning\",\r\n \"Base64 URL-safe decode\",\r\n \"XOR mask w/ random key\"\r\n ],\r\n \"HttpGet_Verb\": \"GET\",\r\n \"HttpPost_Verb\": \"POST\",\r\n \"HttpPostChunk\": 0,\r\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"CryptoScheme\": 0,\r\n \"Proxy_Behavior\": \"Use IE settings\",\r\n \"Watermark\": 587247372,\r\n \"bStageCleanup\": \"True\",\r\n \"bCFGCaution\": \"False\",\r\n \"KillDate\": 0,\r\n \"bProcInject_StartRWX\": \"False\",\r\n \"bProcInject_UseRWX\": \"False\",\r\n \"bProcInject_MinAllocSize\": 17500,\r\n \"ProcInject_PrependAppend_x86\": [\r\n \"kJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_PrependAppend_x64\": [\r\n \"kJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_Execute\": [\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 8 of 11\n\n\"ntdll:RtlUserThreadStart\",\r\n \"CreateThread\",\r\n \"NtQueueApcThread-s\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"ProcInject_AllocationMethod\": \"NtMapViewOfSection\",\r\n \"bUsesCookies\": \"True\",\r\n \"HostHeader\": \"\"\r\n}\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 9 of 11\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 10 of 11\n\nSource: https://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-com\r\nmunication\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication"
	],
	"report_names": [
		"persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication"
	],
	"threat_actors": [],
	"ts_created_at": 1775434297,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec4d1236438c0c5ab211ffc599f6d72224f68a7e.pdf",
		"text": "https://archive.orkl.eu/ec4d1236438c0c5ab211ffc599f6d72224f68a7e.txt",
		"img": "https://archive.orkl.eu/ec4d1236438c0c5ab211ffc599f6d72224f68a7e.jpg"
	}
}