A sophisticated new malware strain called SquidLoader is actively targeting financial services institutions across Hong Kong, Singapore, and Australia, achieving near-zero detection rates through advanced evasion techniques.
Security researchers have identified this threat as particularly dangerous due to its ability to bypass traditional security measures and deploy Cobalt Strike beacons for persistent remote access.
The SquidLoader campaign begins with carefully crafted spear-phishing emails written in simplified Chinese, impersonating representatives from financial institutions.
These emails contain password-protected RAR archives disguised as bond registration forms, with the password “20250331” provided in the email body to encourage user interaction.
Once extracted, the malware appears as a legitimate Microsoft Word document but is a PE binary masquerading as AMD’s Radeon Settings Service (AMDRSServ.exe).
Upon execution, SquidLoader copies itself to c:\users\public\setup_xitgutx.exe and establishes communication with command and control servers using Kubernetes-related URL paths to blend with legitimate network traffic.
The malware communicates with multiple C2 servers, including 39.107.156.136 and 182.92.239.24, transmitting extensive system information, such as IP addresses, usernames, Windows versions, and privilege levels, before downloading and executing Cobalt Strike beacons.
SquidLoader employs a comprehensive array of anti-analysis mechanisms, making it exceptionally difficult to detect.
The malware performs extensive environment checks, scanning for sandbox usernames such as “Abby” and “WALKER,” and monitoring for analysis tools, including OllyDbg, x64dbg, IDA Pro, and various antivirus solutions.
One particularly sophisticated technique involves creating a sleeping thread for approximately 16 minutes while queuing an Asynchronous Procedure Call (APC) to bypass emulation systems.
The malware also uses undocumented Windows API calls like NtQuerySystemInformation with parameter 0x23 to detect kernel debuggers and NtQueryInformationProcess with parameter 0x1e to identify debugging environments.
All API names and strings are dynamically resolved and immediately overwritten in memory, making static analysis virtually impossible.
The malware further complicates analysis through control flow obfuscation. It displays a deceptive error message in Mandarin stating “The file is corrupted and cannot be opened” to bypass automated sandbox systems.
Security researchers have identified multiple SquidLoader variants targeting different regions, with samples showing detection rates as low as 0/70 on VirusTotal platforms.
The malware’s ability to hijack early execution stages and its sophisticated anti-analysis capabilities represent a significant evolution in malware design, posing substantial challenges for traditional security solutions protecting financial institutions across the Asia-Pacific region.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…