Security experts have disclosed details of an active malware campaign that’s exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.
“Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code,” Trellix said in a report shared with The Hacker News. “This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses.”
The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
Targets of the malicious activity include employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors like oil and gas and import and export, with lures written in Arabic, Spanish, Portuguese, Farsi, and English, suggesting the attacks are restricted to a specific region.
The attack hinges on placing a malicious version of the DLL in the same directory as the vulnerable binary, taking advantage of the fact that it’s susceptible to search order hijacking to execute the contents of the rogue DLL instead of its legitimate counterpart, granting the threat actor code execution capabilities. The “ahost.exe” executable used in the campaign is signed by GitKraken and is typically distributed as part of GitKraken’s Desktop application.
An analysis of the artifact on VirusTotal reveals that it’s distributed under dozens of names, including, but not limited to, “RFQ_NO_04958_LG2049 pdf.exe,” “PO-069709-MQ02959-Order-S103509.exe,” “23RDJANUARY OVERDUE.INV.PDF.exe,” “sales contract po-00423-025_pdf.exe,” and “Fatura da DHL.exe,” indication the use of invoice and request for quote (RFQ) themes to trick users into opening it.
“This malware campaign highlights the growing threat of DLL sideloading attacks that exploit trusted, signed utilities like GitKraken’s ahost.exe to bypass security defenses,” Trellix said. “By leveraging legitimate software and abusing its DLL loading process, threat actors can stealthily deploy powerful malware such as XWorm and DCRat, enabling persistent remote access and data theft.”
The disclosure comes as Trellix also reported a surge in Facebook phishing scams employing the Browser-in-the-Browser (BitB) technique to simulate a Facebook authentication screen and deceive unsuspecting users into entering their credentials. This works by creating a fake pop-up within the victim’s legitimate browser window using an iframe element, making it virtually impossible to differentiate between a genuine and bogus login page.
“The attack often starts with a phishing email, which may be disguised as a communication from a law firm,” researcher Mark Joseph Marti said. “This email typically contains a fake legal notice regarding an infringing video and includes a hyperlink disguised as a Facebook login link.”
As soon as the victim clicks on the shortened URL, they are redirected to a phony Meta CAPTCHA prompt that instructs victims to sign in to their Facebook account. This, in turn, triggers a pop-up window that employs the BitB method to display a fake login screen designed to harvest their credentials.
Other variants of the social engineering campaign leverage phishing emails claiming copyright violations, unusual login alerts, impending account shutdowns due to suspicious activity, or potential security exploits. These messages are designed to induce a false sense of urgency and lead victims to pages hosted on Netlify or Vercel to capture their credentials. There is evidence to suggest that the phishing attacks may have been ongoing since July 2025.
“By creating a custom-built, fake login pop-up window within the victim’s browser, this method capitalizes on user familiarity with authentication flows, making credential theft nearly impossible to detect visually,” Trellix said. “The key shift lies in the abuse of trusted infrastructure, utilizing legitimate cloud hosting services like Netlify and Vercel, and URL shorteners to bypass traditional security filters and lend a false sense of security to phishing pages.”
The findings coincide with the discovery of a multi-stage phishing campaign that exploits Python payloads and TryCloudflare tunnels to distribute AsyncRAT via Dropbox links pointing to ZIP archives containing an internet shortcut (URL) file. Details of the campaign were first documented by Forcepoint X-Labs in February 2025.
“The initial payload, a Windows Script Host (WSH) file, was designed to download and execute additional malicious scripts hosted on a WebDAV server,” Trend Micro said. “These scripts facilitated the download of batch files and further payloads, ensuring a seamless and persistent infection routine.”
A standout aspect of the attack is the abuse of living-off-the-land (LotL) techniques that employ Windows Script Host, PowerShell, and native utilities, as well as Cloudflare’s free-tier infrastructure to host the WebDAV server and evade detection.
The scripts staged on TryCloudflare domains are engineered to install a Python environment, establish persistence via Windows startup folder scripts, and inject the AsyncRAT shellcode into an “explorer.exe” process. In tandem, a decoy PDF is displayed to the victim as a distraction mechanism and misleads them into thinking that a legitimate document was accessed.
“The AsyncRAT campaign analyzed in this report demonstrates the increasing sophistication of threat actors in abusing legitimate services and open-source tools to evade detection and establish persistent remote access,” Trend Micro said. “By utilizing Python-based scripts and abusing Cloudflare’s free-tier infrastructure for hosting malicious payloads, the attackers successfully masked their activities under trusted domains, bypassing traditional security controls.”
