Operation SalmonSlalom
Essential information
- Published
- 26/02/2025 09:26
- Modified
- 26/02/2025 10:02
- Tags
- 2025-02-26 dll sideloading fatalrat gh0st rat moudoor mydoor simayrat zegost
- Related entities
- 160 observables, 23 techniques (mitre), 6 malware, 15 others
Description
A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as native file hosting CDN, public packers for encryption, dynamic C2 address changes, and DLL sideloading. The attack shares similarities with previous campaigns using open-source RATs like Gh0st RAT and FatalRAT, but demonstrates a shift in tactics tailored to Chinese-speaking targets. The malware installation process is complex, involving multiple stages and the use of legitimate applications to disguise malicious activity.