The Hacker News reports that numerous Asian finance, defense, and aerospace government entities, as well as state-owned telecommunications, media, and IT companies have been targeted in a cyberespionage effort leveraging dynamic-link library side-loading since early last year.
Threat actors have been using outdated software without DLL side-loading mitigations to facilitate the loading of payload-executing arbitrary shellcodes, as well as other malicious payloads for credential theft and lateral network movement, according to a report from the Symantec Threat Hunter Team.
Researchers have observed that a renamed Mimikatz version was launched in an attack against an education organization using an 11-year-old Bitdefender Crash Handler version. Despite the continued mystery regarding the threat group's identity, researchers discovered that the ShadowPad malware may have been used in its previous attacks.
"The use of legitimate applications to facilitate DLL side-loading appears to be a growing trend among espionage actors operating in the region. Although a well-known technique, it must be yielding some success for attackers given its current popularity," said researchers.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.