Malware Campaign Exploits c-ares DLL Side-Loading for Evasion

First reported

14.01.2026 16:18

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A malware campaign is actively exploiting a DLL side-loading vulnerability in the c-ares library to bypass security controls and deploy various commodity trojans and stealers. The attackers pair a malicious libcares-2.dll with a signed version of the legitimate ahost.exe binary, often renaming it to evade detection. The campaign targets employees in finance, procurement, supply chain, and administration roles across commercial and industrial sectors, using lures in multiple languages. The attack leverages search order hijacking to execute the rogue DLL instead of the legitimate one, granting the threat actors code execution capabilities. The malicious artifact is distributed under various names, including invoice and request for quote (RFQ) themes to trick users into opening it.

Timeline

14.01.2026 16:18 1 articles · 23h ago

Malware Campaign Exploits c-ares DLL Side-Loading for Evasion
A malware campaign is actively exploiting a DLL side-loading vulnerability in the c-ares library to bypass security controls and deploy various commodity trojans and stealers. The attackers pair a malicious libcares-2.dll with a signed version of the legitimate ahost.exe binary, often renaming it to evade detection. The campaign targets employees in finance, procurement, supply chain, and administration roles across commercial and industrial sectors, using lures in multiple languages. The attack leverages search order hijacking to execute the rogue DLL instead of the legitimate one, granting the threat actors code execution capabilities. The malicious artifact is distributed under various names, including invoice and request for quote (RFQ) themes to trick users into opening it.
Show sources

Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware — thehackernews.com — 14.01.2026 16:18
Open in new tab

Information Snippets

Attackers use a malicious libcares-2.dll paired with a signed ahost.exe binary to execute their code.
First reported: 14.01.2026 16:18

1 source, 1 article
Show sources
- Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware — thehackernews.com — 14.01.2026 16:18
The campaign distributes malware such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
First reported: 14.01.2026 16:18

1 source, 1 article
Show sources
- Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware — thehackernews.com — 14.01.2026 16:18
Targets include employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors.
First reported: 14.01.2026 16:18

1 source, 1 article
Show sources
- Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware — thehackernews.com — 14.01.2026 16:18
The malicious artifact is distributed under various names, including invoice and RFQ themes.
First reported: 14.01.2026 16:18

1 source, 1 article
Show sources
- Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware — thehackernews.com — 14.01.2026 16:18
The attack leverages search order hijacking to execute the rogue DLL instead of the legitimate one.
First reported: 14.01.2026 16:18

1 source, 1 article
Show sources
- Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware — thehackernews.com — 14.01.2026 16:18