Hong Kong’s monetary sector is contending with a recent surge of SquidLoader samples that glide previous typical defenses with virtually no antivirus flags.
First noticed in early July 2025, the loader arrives via rigorously worded spear-phishing emails written in Simplified Chinese language and bearing password-protected RAR attachments masquerading as respectable bond-registration paperwork.
As soon as the consumer extracts the archive and double-clicks what seems to be a Microsoft Phrase icon, execution pivots to a malicious PE file designed to resemble AMD’s AMDRSServ.exe, silently laying the groundwork for compromise.
Inside that counterfeit executable, management is secretly hijacked within the CRT epilogue lengthy earlier than WinMain() is reached, permitting SquidLoader to unpack itself and light-weight up its multi-stage an infection chain.
Trellix analysts famous that this primary stage merely iterates via 78,469 packed bytes, making use of an XOR 0xF4 operation and including 19 to every worth to disclose the loader’s true code.
for(size_t i = 0; i
With the payload decrypted, Stage 2 walks the Course of Surroundings Block to find ntdll.dll and kernel32.dll, dynamically resolves scores of APIs, and shops their addresses—plus thread, PEB, and TEB metadata—in a customized stack construction whose pointer is hidden inside unused PEB reminiscence.
This tactical sleight of hand eradicates static strings and thwarts signature-based hunters.
Trellix researchers recognized SquidLoader’s last goal because the in-memory launch of a Cobalt Strike Beacon that studies to shifting Kubernetes-themed endpoints akin to 39.107.156.136 /api/v1/namespaces/kube-system/companies earlier than handing off to a secondary beacon host at 182.92.239.24.
For victims, the result’s covert distant entry that blends seamlessly with regular HTTPS site visitors whereas safety groups stay blind to the breach.
Detection Evasion Ways
The loader’s most ingenious tips revolve round exhaustive anti-analysis routines that frustrate sandboxing and stay debugging alike.
Early in Stage 3, SquidLoader invokes NtQuerySystemInformation with the undocumented SystemKernelDebuggerInformation selector; any non-zero return code alerts a kernel debugger and triggers self-destruct.
It then enumerates working processes by way of SystemProcessInformation, blacklisting a laundry checklist of debuggers—from Olldbg.exe to x64dbg.exe—together with widespread AV brokers akin to MsMpEng.exe and kav.exe; detection of any goal once more prompts fast termination.
A very thorny thread/APC trick spins up a employee thread that sleeps for 1,000,000 ms, queues an APC to itself, and waits, emulators that speed up Sleep() or mishandle APC supply return sudden NTSTATUS values, inflicting the malware to exit earlier than analysts can connect.
Lastly, a Mandarin-language message field—“The file is corrupted and can’t be opened”—calls for consumer interplay, a easy but efficient option to bypass automated sandboxes that lack GUI management.
Collectively, these layers be sure that by the point incident responders understand a beacon is looking dwelling, SquidLoader has already slipped beneath the sonar and out to sea.
Examine stay malware conduct, hint each step of an assault, and make sooner, smarter safety choices -> Attempt ANY.RUN now
