EXECUTIVE SUMMARY:
A Supply Chain Campaign leveraging DLL sideloading techniques to distribute the STX Remote Access Trojan (RAT) through trojanized versions of widely used software applications. The operation abused the trust associated with legitimate software brands by packaging malicious DLL files alongside authentic executables, enabling malware execution while evading user suspicion. Several popular applications, including system monitoring tools, VPN clients, cryptocurrency wallets, trading platforms, and file transfer utilities, were observed being weaponized in this campaign. Victims downloading and executing these modified installers unknowingly initiated the infection chain, allowing attackers to gain unauthorized access to compromised systems. The campaign demonstrates a sophisticated supply chain compromise strategy where legitimate software functionality is preserved while malicious components execute in the background. By targeting applications commonly used by individuals, enterprises, and cryptocurrency users, the threat actors significantly increased their potential victim pool. The operation highlights the continued effectiveness of DLL sideloading as an attack technique, as it exploits the way Windows applications search for and load dynamic link libraries.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A Supply Chain Campaign leveraging DLL sideloading techniques to distribute the STX Remote Access Trojan (RAT) through trojanized versions of widely used software applications. The operation abused the trust associated with legitimate software brands by packaging malicious DLL files alongside authentic executables, enabling malware execution while evading user suspicion. Several popular applications, including system monitoring tools, VPN clients, cryptocurrency wallets, trading platforms, and file transfer utilities, were observed being weaponized in this campaign. Victims downloading and executing these modified installers unknowingly initiated the infection chain, allowing attackers to gain unauthorized access to compromised systems. The campaign demonstrates a sophisticated supply chain compromise strategy where legitimate software functionality is preserved while malicious components execute in the background. By targeting applications commonly used by individuals, enterprises, and cryptocurrency users, the threat actors significantly increased their potential victim pool. The operation highlights the continued effectiveness of DLL sideloading as an attack technique, as it exploits the way Windows applications search for and load dynamic link libraries.[emaillocker id="1283"]
The attack chain begins when a victim executes a trojanized software package containing both a legitimate signed application and a malicious DLL file designed to exploit DLL search order hijacking. During execution, the legitimate executable attempts to load a required library and instead loads the attacker-controlled DLL located within the same directory. This malicious DLL serves as the initial loader and subsequently decrypts, injects, or executes the STX RAT payload. Once active, STX RAT establishes persistence mechanisms and initiates communication with command-and-control infrastructure to receive instructions from the threat actor. The malware is capable of collecting extensive system information, monitoring user activity, capturing credentials, and executing remote commands on infected hosts. Additional functionality includes downloading and executing secondary payloads, enabling attackers to expand their capabilities based on operational requirements. The malware also incorporates obfuscation and anti-analysis techniques intended to hinder detection by security tools and researchers. By leveraging trusted executables to load malicious code, the campaign bypasses many traditional security controls and blends malicious activity with legitimate application processes, making detection and incident response significantly more challenging.
This campaign illustrates the growing threat posed by supply chain compromises and DLL sideloading attacks, particularly when combined with a versatile malware family such as STX RAT. The attackers successfully exploited user trust in legitimate software products to achieve initial access, demonstrating how even reputable applications can become effective delivery mechanisms when distribution channels are compromised or imitated. The campaign's broad targeting approach and use of widely recognized software significantly increase the likelihood of successful infections across multiple sectors and geographic regions. Once deployed, STX RAT provides attackers with extensive control over victim systems, enabling surveillance, credential theft, data collection, and the delivery of additional malicious payloads. The abuse of legitimate executables and trusted software brands further complicates detection efforts, as malicious activity may appear consistent with normal application behavior. Organizations should prioritize software integrity verification, monitor for abnormal DLL loading behavior, and enforce application control policies to reduce exposure to similar threats. The campaign serves as a reminder that supply chain attacks remain a highly effective tactic for cybercriminals seeking scalable and stealthy methods of malware distribution and long-term system compromise.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Defense Evasion | T1036 | Masquerading | - |
| Credential Access | T1555 | Credentials from Password Stores | - |
| Collection | T1056.001 | Input Capture | Keylogging |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/x-vpn-dll-sideloading-stx-rat-campaign/
https://www.cyderes.com/howler-cell/cpuid-hwmonitor-xvpn-dll-sideloading-stx-rat
[/emaillocker]