Multi-stage loaders use DLL sideloading and signed binaries to hide final payloads
Researchers detailed two separate malware chains that rely on deeply layered staging, DLL sideloading, and trusted signed software to conceal execution. One campaign, dubbed Eimeria, starts from a RAR5 archive containing the signed dsclock.exe, a malicious zlibwapi.dll, and an encrypted payload that decrypts into an IExpress package and then an AutoIt-based RunPE loader. The chain restores ntdll.dll to evade EDR hooks, decrypts later stages with AES-128-CBC, RC4, and LZNT1, hollows explorer.exe, svchost.exe, or taskhostw.exe, and injects a small .NET RAT that beacons over WebSocket to 94.26.90.139:3006. It also sets persistence through a Run key and scheduled task and uses delays, sleep checks, and CPU and memory stress tests to frustrate analysis.
A second intrusion set tied to UAC-0184 / MB-0007 used Ukraine-themed lures and messenger delivery to target Ukrainian Defense Forces personnel, beginning with LNK files that called bitsadmin to fetch HTA content from 169.40.135.35 for execution via mshta. The downloaded archive abused legitimate Plane9 components for sideloading through Cluster-Overlay64.exe, Plane9Engine.dll, and openvr_api.dll, then decoded kernel-diag.lib into evr.dll and unpacked filter.bin by rebuilding IDAT chunks, XOR-decoding with key 0x227E9BDE, and decompressing with LZNT1. The final bundle included signed utilities such as Microsoft-signed VSLauncher.exe and a renamed PassMark Endpoint DLL, indicating the actor likely repurposed a signed network stack and dump-capable tooling for covert internal communications, with controller details possibly discovered dynamically over multicast 224.0.0.255:31339 and TCP 31339 rather than a fixed external C2.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Synaptic Security publishes technical analysis of UAC-0184 loader chain
Synaptic Security published a technical breakdown of a UAC-0184 / MB-0007 malware chain that used HTA delivery, a ZIP archive, Plane9 DLL sideloading, pseudo-PNG payload reconstruction, and LZNT1 decompression. The report highlighted use of signed utilities including Microsoft-signed VSLauncher.exe and a PassMark Endpoint DLL, and assessed that controller information may be obtained dynamically rather than from a hardcoded external C2.
CERT-UA reports UAC-0184 campaign targeting Ukrainian defense personnel
CERT-UA reporting described campaigns attributed to UAC-0184 / MB-0007 that targeted Ukrainian Defense Forces personnel using Ukraine-themed social engineering and messenger-based delivery. The campaign used LNK lures that invoked bitsadmin to fetch HTA files and continue the infection chain.
Researchers analyze Eimeria multi-stage malware loader
Researchers documented a newly labeled malware loader called Eimeria that uses a five-layer chain beginning with a RAR5 archive and DLL side-loading to ultimately deploy a .NET RAT. The analysis detailed persistence via a Run key and scheduled task, anti-analysis checks, process hollowing, and WebSocket C2 communications to 94.26.90.139:3006.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
UAC-0184 Expands HTA Loader With Bitdefender and Plane9 Sideload Chains
Researchers reported that **UAC-0184**—also tracked as **UNC5435** and **MB-0007**—is using spearphishing **LNK** files with Ukraine- and Cyrillic-themed lures to launch a multi-stage malware chain against Ukrainian targets. The lures invoke **`bitsadmin`** and **`mshta`** to retrieve HTA payloads from disposable infrastructure hosted on **Cloudflare Pages**, **Netlify**, and novelty TLDs, then fetch **`dctrprraclus.zip`**. The HTA stager hides malicious logic behind decoy HTML padding and embedded VBScript, which starts PowerShell to decrypt an **AES-256-CBC** base64 blob using a co-located 32-byte ASCII key and a null IV, decompress the result with gzip, and reflectively load a .NET assembly; researchers said the actor's per-sample key rotation offers little protection because the key is shipped with the ciphertext. The intrusion set now includes two signed third-party sideloading paths for the same payload family. One chain abuses legitimate **Plane9** components, progressing through **`Cluster-Overlay64.exe`**, **`Plane9Engine.dll`**, **`openvr_api.dll`**, **`kernel-diag.lib`**, and a decoded **`evr.dll`** stage that extracts **`filter.bin`**, whose pseudo-PNG **IDAT** data is XOR-decoded and **LZNT1**-decompressed into a final bundle. A parallel path uses the signed **Bitdefender Endpoint Security** deployer **`bddeploy.exe`** to sideload a malicious **`deploy.dll`** via DLL search order hijacking. The final stages include signed utilities such as Microsoft-signed **`VSLauncher.exe`** and a PassMark-derived **`input.dll`** believed to provide covert networking and possible process-dump capability, while telemetry tied to **trojan.leopard/bitsuh** and multicast or TCP traffic on **port 31339** has emerged as a consistent hunting lead.
May 20, 2026
LNK-Based Malware Campaigns Deliver PlugX and Custom .NET RAT
Researchers documented two separate but related **LNK-driven intrusion chains** that used shortcut files as the initial lure to fetch additional malware from attacker-controlled infrastructure. In one campaign targeting organizations in the **Arabian Gulf region**, a China-nexus threat actor used a Middle East conflict-themed ZIP archive containing an LNK file that downloaded a malicious CHM file and ultimately deployed a **PlugX** backdoor. The infection chain progressed through a second LNK, a TAR archive, DLL sideloading, and a shellcode loader before installing PlugX with persistence under a fake Microsoft Display Broker path and service name. The malware used RC4-encrypted components, API hooking, reflective DLL loading, corrupted PE headers, and support for **TCP, HTTPS, UDP, and DoH** communications, with a decrypted command-and-control endpoint at `91.193.17[.]117:443` and plugins for keylogging, shell access, screen capture, registry, service, and network operations. A second investigation exposed a live **LNK-to-DLL-to-.NET RAT** operation staged from an open Apache directory on `wildishadventure[.]com/secure9/` and `171.22.182[.]231/secure9/`, where researchers recovered weaponized LNK files, custom DLL downloaders, backup files, and a final payload named `RemoteMgmt.Agent.exe`. That chain abused the legacy `ActiveXObject('htmlfile')` technique to force Windows to retrieve DLLs over UNC paths, then delivered a custom .NET 4.8 remote access trojan that supported command execution, token-based authentication, JSON-over-raw-TCP C2 over port 443, reconnect-based persistence, and logging to `%TEMP%\rmgmt_agent.log`. Operational security failures including exposed directory indexing, `.old` backups, test builds, and unstripped internal names allowed investigators to reconstruct the malware’s development workflow and identify infrastructure spanning **BlueVPS**, **Namecheap**, and **Cloudflare**.
Apr 25, 2026
Signed Malware Installers and Live C2 Infrastructure Fuel Multiple Loader Campaigns
Breakglass Intelligence identified several active malware delivery operations using signed installers, compromised websites, and live command-and-control infrastructure to distribute loaders, stealers, and remote access tools. One campaign used the newly registered domain `maybedontbanplease[.]com` as CastleLoader C2 on 3NT Solutions LLP infrastructure, with a large NSIS installer embedding Python 3.14, AES-encrypted payloads, and in-memory shellcode execution via `pythonw.exe`; the installer was signed with an EV certificate issued to the likely fictitious entity **SERPENTINE SOLAR LIMITED**. The activity was attributed with medium-high confidence to **GrayBravo** and linked to delivery of **LummaC2, StealC, RedLine, Rhadamanthys, DeerStealer, NetSupport RAT,** and **SectopRAT**, with targeting that included U.S. government, critical infrastructure, IT, and logistics organizations. A separate operation distributed a trojanized `MSTeamsSetup.exe` that installed a weaponized **RustDesk** client and communicated with `mon.systemautoupdater[.]com` on EvoXT infrastructure, while presenting a TLS certificate for `calipology[.]com`, tying the activity to the **GeorgeGinx/Striker** operator. In another live campaign, attackers used the compromised Syrian web development site `allsydevs[.]com` to host an obfuscated .NET loader masquerading as a WordPress image and connected victims to `172[.]93[.]167[.]12:4263` over HTTPS using a self-signed certificate with the fake common name **Mesh Data**; at least six related samples were linked to the same C2, with lure names suggesting targeting of Middle Eastern construction and export firms. Together, the investigations show financially motivated actors expanding malware distribution through fraudulent code-signing, trojanized business software, and hijacked web infrastructure.
Apr 25, 2026