With the payload decrypted, Stage 2 walks the Process Environment Block to locate ntdll.dll and kernel32.dll, dynamically resolves scores of APIs, and stores their addresses—plus thread, PEB, and TEB metadata—in a custom stack structure whose pointer is hidden inside unused PEB memory. A particularly thorny thread/APC trick spins up a worker thread that sleeps for 1,000,000 ms, queues an APC to itself, and waits, emulators that accelerate Sleep() or mishandle APC delivery return unexpected NTSTATUS values, causing the malware to exit before analysts can attach. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Trellix analysts noted that this first stage simply iterates through 78,469 packed bytes, applying an XOR 0xF4 operation and adding 19 to each value to reveal the loader’s true code. Early in Stage 3, SquidLoader invokes NtQuerySystemInformation with the undocumented SystemKernelDebuggerInformation selector; any non-zero return code signals a kernel debugger and triggers self-destruct. Once the user extracts the archive and double-clicks what appears to be a Microsoft Word icon, execution pivots to a malicious PE file designed to resemble AMD’s AMDRSServ.exe, silently laying the groundwork for compromise. First spotted in early July 2025, the loader arrives through carefully worded spear-phishing emails written in Simplified Chinese and bearing password-protected RAR attachments masquerading as legitimate bond-registration paperwork. Inside that counterfeit executable, control is secretly hijacked in the CRT epilogue long before WinMain() is reached, allowing SquidLoader to unpack itself and light up its multi-stage infection chain. For victims, the result is covert remote access that blends seamlessly with normal HTTPS traffic while security teams remain blind to the breach. It then enumerates running processes via SystemProcessInformation, blacklisting a laundry list of debuggers—from Olldbg.exe to x64dbg.exe—along with common AV agents such as MsMpEng.exe and kav.exe; detection of any target again prompts immediate termination. Finally, a Mandarin-language message box—“The file is corrupted and cannot be opened”—demands user interaction, a simple yet effective way to bypass automated sandboxes that lack GUI control. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Hong Kong’s financial sector is contending with a fresh surge of SquidLoader samples that glide past conventional defenses with almost no antivirus flags. Together, these layers ensure that by the time incident responders realize a beacon is calling home, SquidLoader has already slipped beneath the sonar and out to sea.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Jul 2025 15:05:17 +0000