SLOW#TEMPEST Cobalt Strike Loader
Essential information
- Published
- 07/08/2025 10:34
- Modified
- 07/08/2025 11:08
- Tags
- 2025-08-07 anti-analysis beacon chinese-targets cobalt strike dll sideloading entry-point-patching iso-image
- Related entities
- 9 observables, 1 intrusion sets (apt), 1 techniques (mitre), 1 malware, 3 others
Description
An ISO image containing a malicious Cobalt Strike loader was discovered, targeting Chinese-speaking users. The infection chain involves a deceptive LNK file, which executes a legitimate Alibaba executable to sideload a malicious DLL. The loader implements anti-analysis techniques, decrypts an embedded payload, and injects a Cobalt Strike beacon. The beacon is configured to mimic Bilibili traffic and communicates with a specific C2 server. The loader also patches the entry point of the loading executable with an infinite loop. This activity shares similarities with previously reported SLOW#TEMPEST campaigns, including targeting, folder structures, and the use of DLL sideloading for Cobalt Strike beacons.