Double DLL sideloading and browser extension abuse: New tactics for evading detection
A Chinese-speaking APT hacking group known as "Dragon Breath" or "Golden Eye Dog" is using complex variations of the classic DLL sideloading technique to evade detection. The group is targeting Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines with trojanized Telegram, LetsVPN, or WhatsApp apps. The attack variations involve double DLL sideloading, which achieves evasion, obfuscation, and persistence, making it harder for defenders to adjust to specific attack patterns and effectively shield their networks. The final payload is a backdoor that supports several commands, including stealing digital assets from victims' MetaMask cryptocurrency wallets.