top of page
perceptive_background_267k.jpg

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware

Published:

14 January 2026 at 14:18:00

Alert date:

14 January 2026 at 15:01:03

Source:

thehackernews.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware

Security researchers have identified an active malware campaign exploiting a DLL side-loading vulnerability in the c-ares library. Attackers are pairing a malicious libcares-2.dll with legitimate signed ahost.exe binaries to bypass security controls. The campaign is being used to deploy various commodity trojans and stealers while evading detection through the abuse of legitimate software components.

Technical details

Attackers exploit DLL side-loading vulnerability in c-ares library by pairing malicious libcares-2.dll with legitimate signed ahost.exe binary from GitKraken Desktop. The vulnerability allows search order hijacking where the malicious DLL is placed in the same directory as the vulnerable binary, causing execution of rogue DLL instead of legitimate counterpart. The campaign uses social engineering with invoice and RFQ-themed lures in multiple languages. Additionally, a separate campaign uses Browser-in-the-Browser technique to create fake Facebook login screens within iframe elements for credential harvesting.

Mitigation steps:

Monitor for DLL side-loading attacks involving ahost.exe and libcares-2.dll. Implement controls to detect unsigned or suspicious DLL files in application directories. Be cautious of email attachments with invoice/RFQ themes and executable files disguised as PDFs. Verify legitimacy of Facebook login prompts and check URLs carefully. Implement application whitelisting and endpoint detection rules for DLL side-loading techniques. Train users to recognize social engineering tactics using fake legal notices and copyright violation claims.

Affected products:

c-ares library
GitKraken Desktop (ahost.exe binary)
libcares-2.dll

Related links:

https://cloud.google.com/blog/topics/threat-intelligence/abusing-dll-misconfigurations
https://github.com/c-ares/c-ares/blob/main/INSTALL.md
https://c-ares.org
https://www.trellix.com/en-au/blogs/research/hiding-in-plain-sight-multi-actor-ahost-exe-attacks/
https://www.crowdstrike.com/en-us/blog/dll-side-loading-how-to-combat-threat-actor-evasion-techniques/
https://www.gitkraken.com
https://www.virustotal.com/gui/file/a52e245dd7937094711b10c479274a2cccea2dfb89f7d4c9f22879214718f92b

Related CVE's:

Related threat actors:

IOC's:

a52e245dd7937094711b10c479274a2cccea2dfb89f7d4c9f22879214718f92b, RFQ_NO_04958_LG2049 pdf.exe, PO-069709-MQ02959-Order-S103509.exe, 23RDJANUARY OVERDUE.INV.PDF.exe, sales contract po-00423-025_pdf.exe, Fatura da DHL.exe, libcares-2.dll, ahost.exe

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page