Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

DLL sideloading in trusted software downloads: what teams missed


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: A trojanized HWMonitor archive distributed through a compromised download workflow used DLL sideloading, reflective in-memory loading, anti-debugging, and hidden desktop screen capture to deliver STX RAT, according to Gurucul. The case shows how trusted software distribution still creates high-value initial access and stealth opportunities when identity, endpoint, and memory controls are not aligned.

NHIMG editorial — based on content published by Gurucul: Threat research on HWMonitor trojanised to deliver STX RAT via DLL sideloading

By the numbers:

Questions worth separating out

Q: What breaks when DLL sideloading is possible in trusted software downloads?

A: DLL sideloading breaks the assumption that a trusted executable only runs trusted code.

Q: Why do trusted installers increase the risk of session theft and remote monitoring?

A: Trusted installers matter because they often run with the user’s normal access, which gives malware the same visibility into browser sessions, desktop content, and operator workflows.

Q: How do security teams know if reflective loading is happening in memory?

A: The best signals are combinations, not single events.

Practitioner guidance

  • Harden application load paths Block unexpected DLLs in the same directory as trusted executables and alert on library loads from user-writable or downloaded locations.
  • Correlate memory-only execution signals Detect RWX memory allocation, reflective loading, and unusual import resolution together, because any one signal in isolation is easy to miss.
  • Watch for hidden desktop abuse Flag non-interactive processes that request WinSta0 access, enumerate visible windows, or invoke screen capture functions such as BitBlt.

What's in the full article

Gurucul's full post covers the operational detail this post intentionally leaves for the source:

  • The exact DLL sideloading chain and the file layout that let the malicious library load before the legitimate system DLL.
  • The reflective loader stages and memory artefacts that analysts can use to reconstruct the in-memory payload chain.
  • The API hashing, anti-debugging, and XOR-obfuscation methods used to slow static analysis and endpoint inspection.
  • The IoCs, hashes, and callback details needed for practical threat hunting and containment.

👉 Read Gurucul's analysis of the HWMonitor trojanisation and STX RAT chain →

DLL sideloading in trusted software downloads: what teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Trusted software execution is now part of identity governance. This campaign worked because a legitimate binary became the carrier for attacker-controlled execution, which means the control boundary is no longer only download provenance or endpoint reputation. Identity teams need to treat trusted application launch paths as governance surfaces because they determine what code can run under a user, admin, or service context. The practitioner conclusion is that software trust and execution trust must be reviewed together.

A few things that frame the scale:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when a trojanized download is used to steal active sessions?

A: Accountability usually spans software distribution, endpoint engineering, and identity operations. The team that owns download integrity must validate the package path, the endpoint team must detect malicious process behaviour, and the identity team must understand which sessions and privileged workflows were exposed. The right framework is shared responsibility around trusted execution, not a single control owner.

👉 Read our full editorial: Trojanized HWMonitor shows how DLL sideloading delivers STX RAT



   
ReplyQuote
Share: