Threat Analysis: SquidLoader - Still Swimming Under the Radar

By Charles Crofford · July 15, 2025

Executive summary

A new wave of SquidLoader malware samples are actively targeting financial services institutions in Hong Kong. This sophisticated malware exhibits significant evasion capabilities, achieving near-zero detection rates on VirusTotal at the time of analysis. SquidLoader employs an attack chain culminating in the deployment of a Cobalt Strike Beacon for remote access and control. Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organizations. This blog post provides a detailed technical analysis of the observed SquidLoader sample, highlighting its key features and indicators of compromise, including advanced anti-debugging tricks.

Attack chain

The observed SquidLoader attack follows a five-stage infection chain:

1. Spear-phishing email: The attack commences with a targeted spear-phishing email directed at employees of Hong Kong financial services institutions.
2. Password-Protected RAR archive: The email contains an attachment disguised as an invoice within a password-protected RAR archive. The provided password in the email body facilitates the initial interaction.
3. Malicious PE binary: Upon extraction, the RAR archive reveals a PE binary. This binary is crafted with an icon and name mimicking a Microsoft Word document to deceive the user. However, the underlying file properties resemble a legitimate "AMDRSServ.exe" (Radeon settings host service), further aiding in social engineering.
   • Upon execution SquidLoader copies itself to c:\users\public\setup_xitgutx.exe and relaunches
   
   
   
4. SquidLoader execution: Execution of the disguised PE binary initiates the SquidLoader infection sequence.
   • Contacts C2
   • Downloads Cobalt Strike beacon
   • Loads and executes shellcode
5. Cobalt Strike beacon deployment: The final stage involves the download and in-memory execution of a Cobalt Strike Beacon, granting the attackers persistent remote access to the compromised system.
   • Contacts Cobalt Strike C2

PE binary analysis

Initial analysis of the PE binary reveals that the code at the WinMain entry point is designed to resemble the legitimate AMDRSServ.exe, likely a decoy to mislead initial inspection. However, malicious activity begins much earlier in the execution flow. The malware hijacks the __scrt_common_main_seh function during its epilogue, diverting control to the malicious code before WinMain is ever reached. This is a common technique for malware to gain early execution and establish its foothold.

Stage 1: Initial unpacking:
The first stage of SquidLoader involves unpacking the main malicious payload from within its own binary. The provided de-obfuscated code snippet illustrates this process:

This simple loop iterates through a block of packed bytes within the malware's memory. Each byte is XORed with the value 0xF4 and then has 19 added to it. This de-obfuscation routine reveals the subsequent stages of the malware.

Stage 2: API resolution and custom structure initialization
The second stage focuses on preparing the environment for further malicious activities. SquidLoader employs sophisticated techniques to dynamically resolve necessary Windows APIs, hindering static analysis.

• PEB walking: The malware begins by traversing the Process Environment Block (PEB) to locate the base addresses of ntdll.dll and kernel32.dll. This is a common method to find fundamental system libraries.
• Dynamic API resolution: Once these base addresses are found, SquidLoader proceeds to locate the addresses of other required APIs. The names of these APIs are individually XORed and then immediately overwritten in memory, effectively erasing any static traces of the API names.
• Custom stack structure: (Shown at end) SquidLoader initializes a custom data structure on the stack. This structure serves as a central repository for storing resolved API pointers, various flags, PEB and Thread Environment Block (TEB) addresses, and other critical information needed throughout its execution.
• PEB storage: Interestingly, the address of this custom stack structure is saved to an unused portion of the PEB. This allows the malware to easily access this crucial data from different parts of its code.
• Control flow obfuscation: The analyzed sample exhibits significant control flow obfuscation, as demonstrated in the provided function example. This technique makes static analysis and reverse engineering significantly more challenging by introducing numerous conditional jumps and loops that obscure the actual program flow. The de-obfuscated version clearly shows the intended sequence.

Obfuscated flow:

Cleaned up:

Stage 3: Anti-analysis, anti-sandbox, and anti-debug techniques
SquidLoader incorporates a comprehensive suite of anti-analysis measures to evade detection and hinder investigation:

• Anti-sandbox:
  • Username check: It uses a syscall to GetEnvironmentVariableA to retrieve the username and checks if it matches "Abby" or "WALKER," common usernames in some sandbox environments.
  • Image name check: A syscall to NtQueryInformationProcess retrieves the process image name and compares it against c:\users\public\setup_xitgutx.exe. If it doesn't match, the malware copies itself to this location, starts the new process, and terminates the original, likely to evade file-based analysis in default locations.
• Anti-analysis and anti-debug:
  • Process enumeration: SquidLoader uses a syscall to NtQuerySystemInformation with the SystemProcessInformation parameter to obtain a list of running processes.
  • Blacklisting analysis tools: It iterates through this list, checking for the presence of various analysis and debugging tools. Notably, it checks for "rundll32.exe" and "regsvr32.exe" (potentially remnants from DLL-based versions), "aupdate.exe" (Symantec LiveUpdate), and the following:
    • Olldbg.exe (Note the misspelling of OllyDbg)
    • x64dbg.exe
    • x32dbg.exe
    • windbg.exe
    • DbgX.Shell.exe
    • ida.exe
    • ida64.exe
    • HRSword.exe
    • fakenet.exe (A network traffic simulation tool)
  • Conditional blacklisting: If the username check or the "aupdate.exe" process is detected, SquidLoader performs additional process checks for common antivirus solutions:
    • kav.exe
    • avgw.exe
    • blackice.exe
    • avpcc.exe
    • egui.exe
    • norton.exe
    • fsav.exe
    • rfwmain.exe
    • Inort.exe
  • Final antivirus checks: Regardless of the previous checks, SquidLoader performs a final set of process checks for:
    • ZhuDongFangYu.exe (360 Antivirus)
    • MsMpEng.exe (Windows Defender)
    • sysmon.exe
    • sysmon64.exe
  • If any of the blacklisted processes are found, SquidLoader terminates itself using a syscall to NtTerminateProcess.
  • NtQuerySystemInformation (0x23): SquidLoader makes another syscall to the NtQuerySystemInformation function, this time with the undocumented parameter 0x23 (SystemKernelDebuggerInformation). If this call returns a non-zero value, the malware again assumes the presence of a kernel debugger and terminates.
  • NtQueryInformationProcess (0x1e): SquidLoader performs a syscall to the NtQueryInformationProcess function with the undocumented parameter 0x1e (ProcessDebugObjectHandle). If the returned NTSTATUS code is not 0xC0000353 (STATUS_PORT_NOT_SET), the malware interprets this as a sign of being debugged and exits.
    
  • Anti-emulation/anti-sandbox threading trick: SquidLoader employs a sophisticated anti-emulation technique involving thread creation and manipulation:
    
    1. It creates a new thread using NtCreateThreadEx and puts it to sleep for a long duration (approximately 16 minutes).
       
       
    2. The main thread then executes a short sleep function.
    3. It queues an Asynchronous Procedure Call (APC) to the long-sleeping thread using NtQueueApcThread.
       
       
       • The queued APC is a short instruction which adds a flag to SquidLoader’s datastructure
    4. It calls NtWaitForSingleObject.
       
    5. SquidLoader closes the thread handle using NtClose.
       
    6. Finally SquidLoader checks its DataStructure for the presence of the flag, if the flag is not set, or if it receives an unexpected NTStatus at any step, it terminates.
       
    7. Emulators often struggle with accurately simulating threads or handling APCs correctly within short timeframes. Any sandbox hooking the sleep function to bypass delays would likely cause an unexpected NTSTATUS return, triggering the malware to exit.
  • Microsoft emulator detection: SquidLoader calls NtIsProcessInJob, a known technique to detect the Microsoft Emulator, as documented in the UACME project.
  • String obfuscation: Similar to API resolution, all strings used by SquidLoader are resolved dynamically on the stack and overwritten immediately after use. This makes static string analysis virtually impossible without debugging the malware during runtime.
  • User interaction bypass: Finally, after completing its environment checks, SquidLoader displays a message box with the Mandarin text: "The file is corrupted and cannot be opened." This requires user interaction to dismiss, effectively bypassing automated sandboxes that cannot interact with GUI elements.

Stage 4: C2 communication

Once the user dismisses the deceptive error message box, SquidLoader proceeds to establish communication with its Command and Control (C2) server.

• C2 server: The analyzed sample communicates with hxxps://39.107.156.136/api/v1/namespaces/kube-system/services. The use of a Kubernetes-related path in the URL is an attempt to blend in with legitimate network traffic.
  
• Data transmission: The malware transmits a significant amount of information about the compromised host to the C2 server, including:
  • IP address
  • Username
  • Computer name
  • Windows version
  • Process ID
  • Thread ID
  • Filename
  • Administrator privileges status
  • Active Code Page
  • OEM Code Page

Stage 5: Cobalt Strike beacon execution

The final stage involves the execution of the downloaded Cobalt Strike Beacon.

• Secondary C2 Server: In the analyzed sample, the Cobalt Strike Beacon establishes a connection to a different host: 182.92.239.24.

Geographic Targeting and Similar Samples

The analyzed sample specifically targets Hong Kong financial services institutions, as evidenced by the spear-phishing email content in Mandarin. Further investigation using the provided VirusTotal search query reveals other recent SquidLoader samples with very low detection rates. These samples communicate with different C2 hosts but share the characteristic Kubernetes-related URL path. Notably, some of these samples indicate targeting in Singapore and Australia, suggesting a broader campaign with regional variations.

Spear-phishing email analysis

The provided example of the spear-phishing email is written in simplified Chinese and claims to be from a representative of a financial institution.

Translation and sanitization

Subject: [Sanitized Company Name] - Registration Form for Bond Connect Investors Handling Foreign Exchange Business through Overseas Banks
Body:
Dear [Sanitized Recipient Name],
I am [Sanitized Sender Name] from [Sanitized Company Name]. I am submitting the scanned copy of the Bond Connect investor foreign exchange business registration form. The relevant documents have been prepared as required.
The attachment is encrypted and compressed. The decryption password is: 20250331. Please check and confirm.
Please confirm if you need any further materials. If you have any questions or additional requirements, please let me know at any time.
Thank you for your support and assistance!
Sincerely,
[Sanitized Company Name]
[Sanitized Sender Name]
Contact Number: [Redacted Phone Number]
Email Address: [Redacted Email Address]
March 31, 2025

Indicators of compromise (IOCs)

Hashes

Trellix ENS Detection - SquidLoader!

• SHA256
  • HONG KONG
    • Bb0f370e11302ca2d7f01d64f0f45fbce4bac6fd5613d8d48df29a83d382d232
    • B2811b3074eff16ec74afbeb675c85a9ec1f0befdbef8d541ac45640cacc0900
    • 6960c76b624b2ed9fc21546af98e1fa2169cd350f37f6ca85684127e9e74d89c
    • 9dae4e219880f0e4de5bcba649fd0741e409c8a56b4f5bef059cdf3903b78ac2
  • SINGAPORE
    • 34d602d9674f26fa2a141c688f305da0eea2979969f42379265ee18589751493
  • CHINA
    • a244bfcd82d4bc2de30fc1d58750875b638d8632adb11fe491de6289ff30d8e5
  • AUSTRALIA
    • 2d371709a613ff8ec43f26270a29f14a0cb7191c84f67d49c81d0e044344cf6c

SquidLoader Servers and Communication:

• C2 Servers:
  • hxxps://39.107.156.136/api/v1/namespaces/kube-system/services
  • hxxps://8.140.62.166/api/v1/namespaces/kube-system/services
  • hxxps://38.55.194.34/api/v1/namespaces/kube-system/services
  • hxxps://47.116.178.227/api/v1/namespaces/kube-system/services
  • hxxps://121.41.14.96/api/v1/namespaces/kube-system/services
  • hxxps://47.116.178.227:443/api/v1/namespaces/kube-system/services
• Network Traffic Signature: HTTPS requests to the identified C2 servers with the URI /api/v1/namespaces/kube-system/services.
  • User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

VirusTotal Query for hunting:

• vt-query:"https://www.virustotal.com/gui/search/type%253Apeexe%2520and%2520%2522%252Fapi%252Fv1%252Fnamespaces%252Fkube-system%252Fservices%2522?type=files"

Stack Structure

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/