SquidLoader Reemerges with Stealth Upgrades in APAC Financial Attacks
Threat Group: Unknown (APT-level sophistication suspected)
Threat Type: Loader / Malware-as-a-Service (MaaS)
Exploited Vulnerabilities: No specific CVE; exploits social engineering and security evasion
Malware Used: SquidLoader, Cobalt Strike Beacon
Threat Score: 🔴 High (8.4/10) – Highly evasive loader, zero-detection rate at launch, APT-style tradecraft, and persistent access via Cobalt Strike
Last Threat Observation: 23 July 2025
Overview
SquidLoader's new wave represents a resurgence of sophisticated loader malware targeting financial institutions, especially in the Asia-Pacific region. Initially detected in late April 2024, the loader achieves near-zero detection upon first analysis, bypassing standard email and endpoint security mechanisms. The campaign uses Mandarin-language spear-phishing emails, anti-analysis engineering, and mimics enterprise tools to infiltrate and persist within networks. The final payload is a Cobalt Strike Beacon, granting full attacker control. The malware disguises itself using misleading file icons, filenames, and metadata that emulate known business and hardware processes, and then deploys a battery of anti-sandbox and anti-debugging checks to ensure execution only within genuine environments.
This campaign’s defining traits include mimicry of Kubernetes API paths for Command-and-Control (C2) communication, dynamic API resolution to avoid static detection, and a requirement for GUI-based user interaction, rendering most automated analysis ineffective. With a multistage infection chain and clear strategic targeting of financial services across Hong Kong, Australia, Singapore, and China, SquidLoader is believed to be operated by a highly resourced and technically proficient threat actor. Given its modular architecture, defenders should assume the payload can shift between espionage, financial theft, and ransomware depending on actor goals. Immediate response actions, layered defences, and behaviour-based detection are critical to mitigating this threat.
Key Details
- Targeted Sector and Regions: The latest SquidLoader campaign is highly targeted, focusing primarily on financial services institutions in Hong Kong, with observed expansion into Singapore, Australia, and China. The use of spear-phishing emails written in Mandarin indicates a tailored and regionally aware threat approach.
- Initial Delivery Mechanism: Attacks begin with well-crafted spear-phishing emails containing password-protected RAR archives disguised as invoices. These archives deliver a malicious PE binary designed to mimic a Microsoft Word document and masquerade as a legitimate system process (
AMDRSServ.exe). - Persistence and Execution: Upon launch, the malware copies itself to
C:\Users\Public\setup_xitgutx.exeand relaunches from this location to evade initial analysis. It hijacks the execution flow early via__scrt_common_main_seh, bypassing conventional entry point monitoring. - Sophisticated Evasion Capabilities: SquidLoader employs early execution hijacking, dynamic API resolution, string obfuscation, custom data structures in the PEB, and complex anti-sandbox threading tricks. It checks for analysis tools, virtual environments, and user interaction capabilities to determine if it is running in a monitored environment.
- Network Communication and Mimicry: It connects to C2 infrastructure using HTTPS traffic that mimics Kubernetes API service paths. This tactic is designed to blend with legitimate enterprise cloud traffic and avoid triggering anomaly detection systems.
- Final Objective – Cobalt Strike Deployment: SquidLoader’s purpose is to deploy a memory-resident Cobalt Strike Beacon. This enables full remote access, credential theft, lateral movement, and data exfiltration, representing a high-impact post-exploitation phase.
- Attribution and Threat Profile: While no specific APT group has been publicly named, the techniques used suggest involvement by either a state-sponsored actor or a highly organised cybercriminal group with significant technical capability.
Attack Vectors
| Vector | Mechanism |
|---|---|
| Social Engineering | Spear-phishing emails with Mandarin content and password-protected invoice lures |
| Initial Execution | Malicious PE disguised as a Word document and named as a legitimate AMD process |
| Persistence | Copies to C:\Users\Public\setup_xitgutx.exe and relaunches from that location |
| Early Execution Hijack | Hijacks __scrt_common_main_seh to execute before WinMain, bypassing detection |
| Dynamic Obfuscation | API resolution via PEB walking, string obfuscation, and stack-based data structures |
| Anti-Sandboxing | Checks for usernames, debugger tools, process names, and uses threading tricks |
| User Interaction Bypass | Displays a fake Mandarin error requiring dismissal, defeating headless sandboxes |
| Network Evasion | Uses HTTPS with fake Kubernetes API paths to evade network anomaly detection tools |
| Post-Exploitation | Deploys a memory-resident Cobalt Strike Beacon for full remote control and movement |
Known Indicators of Compromise (IoCs)
IPv4 Addresses
- 121[.]41[.]14[.]96
- 38[.]55[.]194[.]34
- 8[.]140[.]62[.]166
- 39[.]107[.]156[.]136
- 47[.]116[.]178[.]227
URLs
- hxxp://121[.]41[.]14[.]96/api/v1/namespaces/kube-system/services
- hxxp://38[.]55[.]194[.]34/api/v1/namespaces/kube-system/services
- hxxp://39[.]107[.]156[.]136/api/v1/namespaces/kube-system/services
- hxxp://47[.]116[.]178[.]227/api/v1/namespaces/kube-system/services
- hxxp://47[.]116[.]178[.]227:443/api/v1/namespaces/kube-system/services
- hxxp://8[.]140[.]62[.]166/api/v1/namespaces/kube-system/services
SHA256 File Hashes
- 2d371709a613ff8ec43f26270a29f14a0cb7191c84f67d49c81d0e044344cf6c
- 34d602d9674f26fa2a141c688f305da0eea2979969f42379265ee18589751493
- 6960c76b624b2ed9fc21546af98e1fa2169cd350f37f6ca85684127e9e74d89c
- 9dae4e219880f0e4de5bcba649fd0741e409c8a56b4f5bef059cdf3903b78ac2
- a244bfcd82d4bc2de30fc1d58750875b638d8632adb11fe491de6289ff30d8e5
- b2811b3074eff16ec74afbeb675c85a9ec1f0befdbef8d541ac45640cacc0900
- bb0f370e11302ca2d7f01d64f0f45fbce4bac6fd5613d8d48df29a83d382d232
User-Agent String: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Persistence:
- File copied to
c:\users\public\setup_xitgutx.exe - Runtime data stored in unused PEB sections
Mitigation and Prevention
User Awareness: Train staff to distrust password-protected invoice emails and unknown RAR files. Highlight Mandarin-language phishing attempts.
Email Filtering: Block executable attachments in RARs. Enable advanced sandbox inspection of encrypted attachments.
Antivirus Protection: Deploy advanced EDR solutions. Monitor for runtime injection, dynamic API resolution, and GUI-triggered error dialogs.
Two-Factor Authentication (2FA): Enforce 2FA across all remote and privileged access points.
Monitor Logs: Inspect for long-sleep threads, early function hijacks, and unknown PEB entries. Detect reflective DLL injection or process hollowing.
Regular Updates: Patch endpoints rigorously. Disable unused scripting engines and review PowerShell policies.
Risk Assessment
This wave of SquidLoader combines elite tradecraft with strong social engineering. The mimicry of enterprise tools and low detection rate creates an ideal vector for long-term intrusions. Its reliance on in-memory payloads bypasses legacy AV and firewalls, requiring layered detection based on behaviour and memory analysis.
Conclusion
SquidLoader’s design deliberately outpaces traditional defences by requiring real user interaction, camouflaging as trusted processes, and mimicking enterprise applications. It offers flexible payload delivery, currently focusing on Cobalt Strike. Given the sophistication of this campaign and its targeting of financial services across multiple nations, all organisations in the APAC region should elevate monitoring and defence mechanisms to counter this loader.
Sources:
Broadcom - SquidLoader malware targets financial institutions
Trellix - Threat Analysis: SquidLoader - Still Swimming Under the Radar
SC Media - Attacks with SquidLoader malware hit Hong Kong finance
OTX AlienVault - Indicators Of Compromise