Researchers reveal a multi-step, in-memory attack leveraging DLL sideloading and encrypted payloads to maintain covert access.

Threat researchers have uncovered a sophisticated and stealthy cyber-espionage framework used by an advanced persistent threat (APT) group targeting a Philippine military firm.

This multi-stage, fileless malware campaign leverages a combination of living-off-the-land techniques and in-memory execution to maintain persistent access, avoid detection, and perform extensive system reconnaissance and data theft.

The initial intrusion was linked to the execution of a logon batch script from a remote SMB share, deploying a legitimate Windows binary alongside a malicious dynamic link library (DLL). This DLL hijacking (or sideloading) tactic had allowed the malware to execute payloads under the guise of trusted processes, bypassing traditional file-based security mechanisms. The first-stage loader had then established a reverse shell and enabled remote command execution on compromised systems.

Technical overview and attack methodology

To maintain persistence, the attackers abused pre-existing but typically disabled Windows services, either by modifying service registry keys to point to malicious DLLs, or by replacing legitimate service binaries. These services were then configured to run with elevated privileges, granting the attackers extensive access to the system memory and processes. Also:

  • The core payload was delivered and executed entirely in memory through a novel reflective loader. This loader decrypted and injected the main backdoor into trusted processes such as the Windows Defender service or explorer.exe, facilitating stealthy control and communication with the command-and-control (C2) servers.
  • Communication with the attacker’s C2 infrastructure had employed modern secure protocols and mutual TLS authentication, utilizing attacker-owned certificates for encrypted and authenticated remote procedure calls.
  • The backdoor supports a wide array of capabilities: comprehensive system fingerprinting; file and process manipulation; privilege escalation; network resource enumeration; lateral movement; and data exfiltration. It operates with a full command set designed for long-term surveillance and control without leaving decrypted malware files on disk.
  • Secondary lightweight backdoor had been observed, which was deployed to ensure redundancy in case the primary implant had been intercepted. This auxiliary component used a legitimate binary relocated to a user-writable directory for DLL sideloading and supported encrypted communication, remote command execution, and flexible command updates.
  • To gather sensitive user input, the threat actors had injected an encrypted keylogger directly into the memory of active explorer.exe processes. This keylogger intercepted keystrokes, clipboard content, and network adapter changes, encrypting logged data in real time for covert collection.

Finally, the attackers had leveraged a proxy tool to establish internal network footholds and route commands across the compromised environment, effectively bypassing segmentation and network-level defenses. Many methods bear telltale signs of a China-linked APT, but no specific threat group has been identified.

According to Martin Zugec, Technical Solutions Director, Bitdefender, the firm disclosing its investigations, this attack suggests in general that APTs aligned with Chinese interests could be “increasing their focus on espionage campaigns against military adversaries.”