Targeting Taiwan & Japan with DLL Implants
Essential information
- Published
- 12/05/2025 18:34
- Modified
- 13/05/2025 08:28
- Tags
- 2025-05-12 apt cobalt strike dll implants dll sideloading google drive isurus japan multi-stage attack pterois taiwan
- Related entities
- 16 observables, 1 intrusion sets (apt), 7 techniques (mitre), 3 malware, 4 others
Description
A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads. The threat actor employs various evasion techniques including API hashing, direct syscalls, DLL sideloading, and self-deletion. Google Drive is abused as a command-and-control server. While attribution remains uncertain, similarities with Winnti, Lazarus, and APT10 techniques have been observed. The campaign has been active since December 2024 and is expected to continue with new implants targeting additional applications.