Operation Silent Entry: Intelligence Malware Slips Past the Defenses
- Javier Conejo del Cerro
- hace 2 dÃas
- 3 Min. de lectura
Modern cyber-espionage no longer relies on noisy exploits or zero-day vulnerabilities. Instead, it mirrors real-world intelligence operations: blend in, abuse trust, and move quietly. A newly observed malware campaign demonstrates this approach by combining DLL side-loading, living-off-the-land binaries, fake authentication flows, and trusted cloud infrastructure to deploy a wide range of trojans and steal sensitive data while remaining largely invisible to traditional security controls.
Rather than breaching the fortress head-on, the attackers walk through the front door wearing a legitimate uniform.
Phase 1 – Reconnaissance & Target Selection
The operation begins with careful victim profiling. The campaign primarily targets employees in finance, procurement, supply chain, and administrative roles across industrial and commercial sectors, including oil and gas and import/export businesses. Parallel social-engineering activity focuses on enterprise users and social media account holders.
Lures are localized and tailored, written in Arabic, Spanish, Portuguese, Farsi, and English, indicating regionally scoped targeting rather than random mass distribution. The attackers rely on familiar business themes—invoices, RFQs, overdue payments, legal notices, and account security alerts—to ensure high open and execution rates.
At this stage, the attackers are not exploiting software flaws; they are exploiting human trust and routine workflows.
Phase 2 – Initial Access via Trusted Assets
Initial access is achieved by abusing legitimate, signed software components. The centerpiece of the campaign is a DLL side-loading technique involving a benign, signed binary: ahost.exe, a component associated with GitKraken’s desktop application.
By placing a malicious libcares-2.dll in the same directory as the legitimate executable, the attackers exploit Windows’ DLL search order. When the renamed ahost.exe is launched—often disguised as a PDF, invoice, or shipping document—it loads the malicious DLL instead of the legitimate one, executing attacker code without triggering signature-based defenses.
This single technique enables the delivery of a broad arsenal of commodity malware, including Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
Phase 3 – Execution, Persistence & Evasion
Once execution is achieved, the operation shifts into persistence and evasion mode. The attackers heavily rely on living-off-the-land (LotL) techniques, abusing native Windows components such as:
Windows Script Host (WSH)
PowerShell
MSBuild.exe
Explorer.exe
In parallel campaigns, phishing operations employ Browser-in-the-Browser (BitB) techniques to harvest credentials by displaying fake login pop-ups inside legitimate browser windows, making visual detection nearly impossible.
Other infection chains use multi-stage loaders distributed via Dropbox ZIP archives, WebDAV servers, and TryCloudflare tunnels, where Python environments are installed on the fly and used to inject AsyncRAT shellcode into legitimate processes. Decoy PDFs are opened to distract victims and reinforce the illusion of legitimacy.
Across all variants, the common theme is clear: trusted tools, trusted services, trusted domains—all weaponized.
Phase 4 – Data Theft & Command-and-Control
With persistence established, the malware enters its intelligence-gathering phase. Depending on the payload, attackers can:
Steal credentials (enterprise, VPN, social media)
Capture keystrokes
Harvest browser data
Exfiltrate files and system information
Establish persistent remote access for follow-on operations
Data exfiltration and command-and-control traffic are routed through legitimate cloud services such as Netlify, Vercel, Cloudflare, and URL shorteners, further masking malicious activity within normal enterprise traffic patterns.
This infrastructure abuse allows attackers to operate quietly for extended periods, turning compromised systems into long-term intelligence assets.
Measures to Defend Against Silent Entry Operations
To counter operations of this nature, organizations must shift from exploit-centric defenses to behavior- and trust-centric security controls:
Restrict and monitor DLL load paths and detect anomalous side-loading behavior
Limit and closely monitor LOLBin usage (PowerShell, MSBuild, WSH)
Alert on signed binaries executing from non-standard directories
Block Browser-in-the-Browser phishing through modern email and web filtering
Enforce phishing-resistant MFA for enterprise and social platforms
Monitor abuse of trusted cloud hosting services for C2 and payload delivery
Harden script execution policies and reduce unnecessary scripting privileges
This campaign highlights a critical evolution in modern threat operations: attackers no longer need advanced exploits when they can blend into trusted ecosystems. By abusing signed binaries, legitimate cloud services, and familiar authentication flows, these actors bypass many traditional security controls while achieving persistent, high-value access.
The lesson is clear: trust is now the primary attack surface. Defending against these silent entry operations requires visibility into how trusted tools are used—not just whether they are trusted at all.
In today’s threat landscape, the most dangerous intrusions are the ones that look completely normal.
The Hacker News