The Trellix Advanced Research Center has spotted an active malware campaign that exploits a DLL sideloading issue in a legitimate Windows utility called ‘ahost.exe,’ which is a component of the open-source c-ares library used for asynchronous DNS lookups.
The utility is commonly bundled with Git for Windows and developer tools such as GitKraken and GitHub Desktop. By using a malicious libcares-2.dll with a signed version of ahost.exe (often renamed) attackers are able to execute malware and evading traditional signature-based security controls at the same time.
According to Trellix, the campaign mainly delivers commodity malware, including info-stealers such as AgentTesla, FormBook, Lumma Stealer, Vidar, and CryptBot, as well as remote access trojans (RATs) like Remcos, QuasarRAT, DCRat, and XWorm.
The malicious files are typically disguised as business documents and target employees in finance, procurement, supply chain, and administrative roles, particularly within commercial and industrial sectors such as oil and gas and import/export. The campaign uses localized filenames in Arabic, Spanish, Portuguese, Farsi, and English, suggesting a widespread operation.
The attack relies on DLL search order hijacking, where ahost.exe loads a malicious libcares-2.dll placed in the same directory. Trellix notes that threat actors leverage a version of ahost.exe signed by GitKraken and distributed with the GitKraken Desktop application.
In one incident, attackers renamed ahost.exe to 1DOC-PDF.exe and bundled it with a malicious libcares-2.dll containing DCRat malware.
Telemetry shows this executable (MD5: fd3c8166e7fbbb64d12c1170b8f4bacf) has been linked to multiple malware campaigns, including XWorm and DCRat, and has been submitted to VirusTotal nearly two hundred times under various names.
“This file has been submitted to VirusTotal numerous times under various names, with 190 submissions from 115 unique submitters, first seen in the United States and last seen in Egypt. This suggests a widespread distribution effort,” Trellix notes.