{"id":229057,"date":"2026-01-15T01:20:02","date_gmt":"2026-01-15T07:20:02","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/01\/hackers-exploit-c-ares-dll-side-loading-to-bypass-security-and-deploy-malware"},"modified":"2026-01-15T01:20:02","modified_gmt":"2026-01-15T07:20:02","slug":"hackers-exploit-c-ares-dll-side-loading-to-bypass-security-and-deploy-malware","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/01\/hackers-exploit-c-ares-dll-side-loading-to-bypass-security-and-deploy-malware","title":{"rendered":"Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/hackers-exploit-c-ares-dll-side-loading-to-bypass-security-and-deploy-malware2.jpg\"><\/a><\/p>\n<p>Security experts have disclosed details of an active malware campaign that\u2019s exploiting a <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/abusing-dll-misconfigurations\" rel=\"noopener\" target=\"_blank\">DLL side-loading vulnerability<\/a> in a legitimate binary <a href=\"https:\/\/github.com\/c-ares\/c-ares\/blob\/main\/INSTALL.md\" rel=\"noopener\" target=\"_blank\">associated<\/a> with the open-source <a href=\"https:\/\/c-ares.org\" rel=\"noopener\" target=\"_blank\">c-ares library<\/a> to bypass security controls and deliver a wide range of commodity trojans and stealers.<\/p>\n<p>\u201cAttackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code,\u201d Trellix <a href=\"https:\/\/www.trellix.com\/en-au\/blogs\/research\/hiding-in-plain-sight-multi-actor-ahost-exe-attacks\/\" target=\"_blank\">said<\/a> in a report shared with The Hacker News. \u201cThis DLL side-loading technique allows the malware to bypass traditional signature-based security defenses.\u201d<\/p>\n<p>The campaign has been observed distributing a wide assortment of malware, such as <a href=\"https:\/\/thehackernews.com\/2025\/08\/hackers-using-new-quirkyloader-malware.html\" rel=\"noopener\" target=\"_blank\">Agent Tesla<\/a>, <a href=\"https:\/\/thehackernews.com\/2023\/04\/google-gets-court-order-to-take-down.html\" rel=\"noopener\" target=\"_blank\">CryptBot<\/a>, <a href=\"https:\/\/thehackernews.com\/2025\/12\/experts-confirm-jssmuggler-uses.html\" rel=\"noopener\" target=\"_blank\">Formbook<\/a>, <a href=\"https:\/\/www.domaintools.com\/resources\/blog\/part-2-tracking-lummac2-infrastructure\/\" rel=\"noopener\" target=\"_blank\">Lumma Stealer<\/a>, <a href=\"https:\/\/thehackernews.com\/2025\/05\/hackers-use-tiktok-videos-to-distribute.html\" rel=\"noopener\" target=\"_blank\">Vidar Stealer<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/01\/new-malware-campaign-delivers-remcos.html\" rel=\"noopener\" target=\"_blank\">Remcos RAT<\/a>, <a href=\"https:\/\/blog.sekoia.io\/advent-of-configuration-extraction-part-2-unwrapping-quasarrats-configuration\/\" rel=\"noopener\" target=\"_blank\">Quasar RAT<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/01\/fake-booking-emails-redirect-hotel.html\" rel=\"noopener\" target=\"_blank\">DCRat<\/a>, and <a href=\"https:\/\/thehackernews.com\/2025\/10\/xworm-60-returns-with-35-plugins-and.html\" rel=\"noopener\" target=\"_blank\">XWorm<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security experts have disclosed details of an active malware campaign that\u2019s exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers. \u201cAttackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,8],"tags":[],"class_list":["post-229057","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-space"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/229057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=229057"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/229057\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=229057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=229057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=229057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}