DLL Sideloading - SparTech Software

DLL sideloading is a technique used in Windows environments where attackers exploit the way the operating system searches for and loads Dynamic Link Libraries (DLLs), which are files containing code and data used by multiple applications.

When an application needs to load a DLL, Windows follows a specific search order to locate the required file. This order typically starts with the directory from which the application was loaded, then checks system directories, the Windows directory, and finally directories listed in the PATH environment variable. If the application does not specify the full path to the DLL it needs, or if the manifest file (which describes dependencies and configuration) is not explicit enough, Windows may load a malicious DLL placed in a directory that is checked before the legitimate one.

Attackers take advantage of this behavior by placing a malicious DLL with the same name as a legitimate one in a location where it will be found and loaded first, such as the application’s own directory. When the application is launched, it inadvertently loads the malicious DLL instead of the intended one, allowing the attacker to execute arbitrary code—often with the privileges of the trusted application. This technique is commonly used for persistence, privilege escalation, and evading detection by security solutions, as malicious activity appears to originate from a legitimate, signed process.

DLL sideloading is closely related to DLL hijacking, but in sideloading, the attacker typically distributes both a legitimate application and the malicious DLL together, whereas in hijacking, the attacker may target libraries already present on the victim’s system. Both techniques are widely used by advanced threat actors and malware operators to bypass security controls and maintain access to compromised systems.

Glossary: ValleyRAT
ValleyRAT is a sophisticated remote access trojan (RAT) first identified in early 2023, attributed to China-based threat actors, notably the Silver Fox APT group. It is designed to infiltrate, monitor, and control compromised systems, enabling attackers to execute a wide range of malicious activities, including deploying additional plugins, exfiltrating data, and maintaining persistent access.
Mustang Panda is targeting the Tibetan community with PUBLOAD and Pubshell malware campaigns and may be migrating to US targets.
Mustang Panda (also tracked as Hive0154, Earth Preta, or Camaro Dragon), a China-aligned advanced persistent threat (APT) group, has deployed PUBLOAD and Pubshell malware in a targeted cyber espionage campaign against the Tibetan community. This operation leverages Tibet-themed lures to deliver multi-stage malware for persistent access and data exfiltration.
Glossary: Mustang Panda
Mustang Panda is a China-based cyber espionage group, active since at least 2012, though some sources suggest operations may date back even earlier. The group is also known by aliases such as Bronze President, RedDelta, Earth Preta, and Camaro Dragon. Mustang Panda targets a wide range of organizations, including governments, non-governmental organizations (NGOs), think tanks, and religious groups, primarily in the U.S., Europe, and across Asia—with particular focus on regions of strategic interest to China, such as Taiwan, Hong Kong, Mongolia, Myanmar, and Tibet.
Storm-2603 Exploits SharePoint Flaws to Deliver Dual Ransomware via DNS-Controlled Backdoor
A sophisticated and likely China-based threat actor, tracked as Storm-2603, has emerged at the forefront of recent cyberattacks exploiting critical Microsoft SharePoint Server vulnerabilities. Leveraging flaws identified as CVE-2025-49706 and CVE-2025-49704 (collectively known as the ToolShell exploits), Storm-2603 has orchestrated a wave of attacks deploying both Warlock (a.k.a. X2anylock) and LockBit Black ransomware.
Charon Ransomware: APT-Level Sophistication Meets Enterprise Targeting
Charon is a newly discovered ransomware family that represents a concerning evolution in cyber threats, combining advanced persistent threat (APT) techniques with destructive ransomware operations. This sophisticated ransomware has been observed in targeted attacks against enterprises, particularly in the Middle East's public sector and aviation industry.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Related