Ethical Hacking News
Hackers have successfully exploited a vulnerability in the open-source c-ares library to bypass security controls and deliver a wide range of malware. The attack aims to establish persistent remote access and data theft. Facebook phishing scams employing the Browser-in-the-Browser (BitB) technique are also being used to deceive unsuspecting users into entering their credentials.
Hackers have exploited a vulnerability in the open-source c-ares library to bypass security controls and deliver malware. The attack uses DLL side-loading technique to evade traditional signature-based security defenses. The campaign targets employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors. The attackers use phishing emails disguised as legal notices or social engineering campaigns to trick victims into entering their credentials. Other variants of the campaign leverage phishing emails claiming copyright violations, unusual login alerts, or potential security exploits to capture victim's credentials.
Hackers have successfully exploited a vulnerability in the open-source c-ares library, a legitimate binary associated with the popular "ahost.exe" executable, to bypass security controls and deliver a wide range of malware. The attack, which has been observed distributing various commodity trojans and stealers, including Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm, aims to establish persistent remote access and data theft.
According to security experts, the attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate "ahost.exe" (which they often rename) to execute their code. This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses. The campaign has been observed targeting employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors such as oil and gas and import and export.
The attack hinges on placing a malicious version of the DLL in the same directory as the vulnerable binary, taking advantage of the fact that it's susceptible to search order hijacking to execute the contents of the rogue DLL instead of its legitimate counterpart, granting the threat actor code execution capabilities. The "ahost.exe" executable used in the campaign is signed by GitKraken and is typically distributed as part of GitKraken's Desktop application.
Security experts warn that the use of legitimate software and abusing its DLL loading process allows threat actors to stealthily deploy powerful malware such as XWorm and DCRat, enabling persistent remote access and data theft. The disclosure comes as security experts also reported a surge in Facebook phishing scams employing the Browser-in-the-Browser (BitB) technique to simulate a Facebook authentication screen and deceive unsuspecting users into entering their credentials.
The attack often starts with a phishing email, which may be disguised as a communication from a law firm, typically containing a fake legal notice regarding an infringing video and including a hyperlink disguised as a Facebook login link. As soon as the victim clicks on the shortened URL, they are redirected to a phony Meta CAPTCHA prompt that instructs victims to sign in to their Facebook account. This, in turn, triggers a pop-up window that employs the BitB method to display a fake login screen designed to harvest their credentials.
Other variants of the social engineering campaign leverage phishing emails claiming copyright violations, unusual login alerts, impending account shutdowns due to suspicious activity, or potential security exploits. These messages are designed to induce a false sense of urgency and lead victims to pages hosted on Netlify or Vercel to capture their credentials. There is evidence to suggest that the phishing attacks may have been ongoing since July 2025.
The findings coincide with the discovery of a multi-stage phishing campaign that exploits Python payloads and TryCloudflare tunnels to distribute AsyncRAT via Dropbox links pointing to ZIP archives containing an internet shortcut (URL) file. Details of the campaign were first documented by Forcepoint X-Labs in February 2025.
"The initial payload, a Windows Script Host (WSH) file, was designed to download and execute additional malicious scripts hosted on a WebDAV server," Trend Micro said. "These scripts facilitated the download of batch files and further payloads, ensuring a seamless and persistent infection routine." A standout aspect of the attack is the abuse of living-off-the-land (LotL) techniques that employ Windows Script Host, PowerShell, and native utilities, as well as Cloudflare's free-tier infrastructure to host the WebDAV server and evade detection.
The disclosure highlights the growing threat of DLL sideloading attacks that exploit trusted, signed utilities like GitKraken's "ahost.exe" to bypass security defenses. By leveraging legitimate software and abusing its DLL loading process, threat actors can stealthily deploy powerful malware such as XWorm and DCRat, enabling persistent remote access and data theft.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Vulnerability-in-c-ares-Library-to-Bypass-Security-Measures-and-Deploy-Malware-ehn.shtml
Published: Wed Jan 14 08:41:46 2026 by llama3.2 3B Q4_K_M
