Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: dll-side-loading (2 articles)Clear

Stealthy Mistic backdoor gives ransomware access broker KongTuke lasting footholds

Symantec and Zscaler detailed Mistic, a stealthy new Windows backdoor used in intrusions since April and tied to KongTuke, an initial access broker that sells footholds to ransomware crews including Qilin, Akira, and Rhysida. Mistic is side-loaded through a legitimate Microsoft executable and a malicious DLL named to mimic endpoint-security software, runs payloads only in memory with nothing written to disk, and includes a self-delete kill switch, all aimed at long-term, low-visibility access. It is delivered through social-engineering lures such as fake CAPTCHAs and Microsoft Teams help-desk pretexts that trick users into running PowerShell commands. Defenders should watch for the unusual DLL side-loading pattern.

Check
Hunt for the legitimate MpExtMs.exe process side-loading unexpected DLLs, in-memory-only payloads, and signs of paste-and-run PowerShell delivered through fake CAPTCHAs or Microsoft Teams help-desk messages.
Affected
Enterprises across insurance, education, IT, and professional services targeted by KongTuke; a quiet, in-memory backdoor establishes durable access that is later sold to ransomware affiliates for deployment.
Fix
Train users against paste-and-run and fake IT-support lures, restrict PowerShell and script execution, deploy behavioral detection for DLL side-loading and in-memory backdoors, and apply the published indicators of compromise.

Chinese APT Mustang Panda's new LOTUSLITE variant hits Indian banks and South Korean policy circles via CHM lures

Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.

Check
Block CHM file delivery through email and web download gateways, hunt for any instance of dnx.onecore.dll on the disk, and alert on DNS resolutions to cosmosmusic[.]com or editor.gleeze[.]com across your network.
Affected
Indian banking, financial services, and corporate employees handling HDFC Bank relationships (target set includes anyone social-engineered with banking-software lures). South Korean policy, diplomatic, think-tank, and government staff working on Korean-peninsula affairs, North Korea policy, or Indo-Pacific security dialogues. Any organisation where users can still open CHM files by default - Windows does not block them.
Fix
Add a mail-transport-agent rule blocking .chm attachments outright. Block CHM execution on endpoints via AppLocker or WDAC application-control policies. Enforce DNS filtering with sinkholes for cosmosmusic[.]com and editor.gleeze[.]com and monitor for similar dynamic-DNS patterns resolving from workstations that never used them before. Run EDR hunts for hh.exe (the CHM viewer) spawning script interpreters or unusual DLL loads, and specifically for dnx.onecore.dll. Provide targeted phishing-awareness training to India-based banking staff and any employees on Korean-peninsula policy briefs, including the specific lure patterns (HDFC Bank pop-ups, spoofed Gmail from named policy figures).