The campaign deserves mention because it employs a novel double DLL-side-loading technique for enhanced evasion capabilities

Numerous attacks against online gamblers across South-east Asia have been detected and investigated since August 2022.

An advanced persistent threat group known as APT-Q-27 (Dragon Breath or Golden Eye Dog) has been tricking gamblers into downloading malicious installers for certain Chinese-language versions of popular chat or VPN software that leave a backdoor for hackers to steal cryptocurrency from the targets’ crypto wallets.

The initial installer side-loads a benign application that, in turn, preloads yet another benign application. This second benign application then side-loads the malicious loader DLL that finally installs the backdoor. This extra level of DLL side-loading makes the malicious activity even harder to spot than usual.  

Once the backdoor is installed, hackers will be able to collect sensitive information that enable them to steal the victims’ crypto wallets.

So far, victims have been spotted in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. According to Gabor Szappanos, Threat Research Director, Sophos, which announced its findings: “While attacks against this community are not unusual, this particular technique of adding an additional clean application to further obfuscate the malicious DLL side-loading is not something we’ve seen before. DLL side-loading has long been a preferred method for some of the most advanced adversaries in this region. (Hackers are) not only continuing to use the method, but improving upon it in the wild. It’s also important to note that these attacker groups — whether purposely or not — share attack methods. Attack methods against groups like online gamblers typically stay under the radar, but, due to peer awareness, other groups could adopt and modify this method with entirely different aims and victim targets.”