Here Is A Potential Sophisticated Malware Campaign Exploits C-ares Library Vulnerability To Deploy…

A sophisticated malware campaign has been uncovered, exploiting a vulnerability in a legitimate binary linked to the open-source c-ares library. This campaign utilizes a technique known as DLL side-loading to bypass security controls and deploy a wide range of malware. According to threat intelligence reports, attackers pair a malicious libcares-2. dll file with a signed version of ahost.

exe, a component typically distributed with GitKraken’s Desktop application. This allows the malware to evade signature-based detection and execute malicious payloads under the guise of trusted software. The campaign has been observed distributing various commodity malware, including information stealers such as CryptBot, Lumma Stealer, and Vidar Stealer, remote access trojans like Remcos and Quasar, and other malicious tools including Agent Tesla and DCRat. Researchers have identified that the attacks are crafted using lure files with names mimicking invoices, purchase orders, and other business-oriented PDFs. This social engineering tactic is designed to entice recipients to open the malicious executables.

Targets of this campaign are predominantly in commercial and industrial sectors, including employees in finance, procurement, supply chain, and administration roles. The phishing lures have been observed in multiple languages, including Arabic, Spanish, Portuguese, Farsi, and English, suggesting a ← →