SquidLoader Using Sophisticated Malware With Near-Zero Detection to Swim Under Radar

Hong Kong’s financial sector is contending with a fresh surge of SquidLoader samples that glide past conventional defenses with almost no antivirus flags.

First spotted in early July 2025, the loader arrives through carefully worded spear-phishing emails written in Simplified Chinese and bearing password-protected RAR attachments masquerading as legitimate bond-registration paperwork.

Once the user extracts the archive and double-clicks what appears to be a Microsoft Word icon, execution pivots to a malicious PE file designed to resemble AMD’s AMDRSServ.exe, silently laying the groundwork for compromise.

Inside that counterfeit executable, control is secretly hijacked in the CRT epilogue long before WinMain() is reached, allowing SquidLoader to unpack itself and light up its multi-stage infection chain.

Trellix analysts noted that this first stage simply iterates through 78,469 packed bytes, applying an XOR 0xF4 operation and adding 19 to each value to reveal the loader’s true code.

for(size_t i = 0; i < 78469; ++i){
    packed[i] = (packed[i] ^ 0xF4) + 19;
}

With the payload decrypted, Stage 2 walks the Process Environment Block to locate ntdll.dll and kernel32.dll, dynamically resolves scores of APIs, and stores their addresses—plus thread, PEB, and TEB metadata—in a custom stack structure whose pointer is hidden inside unused PEB memory.

This tactical sleight of hand eradicates static strings and thwarts signature-based hunters.

Trellix researchers identified SquidLoader’s final objective as the in-memory launch of a Cobalt Strike Beacon that reports to shifting Kubernetes-themed endpoints such as 39.107.156.136 /api/v1/namespaces/kube-system/services before handing off to a secondary beacon host at 182.92.239.24.

For victims, the result is covert remote access that blends seamlessly with normal HTTPS traffic while security teams remain blind to the breach.

Detection Evasion Tactics

The loader’s most ingenious tricks revolve around exhaustive anti-analysis routines that frustrate sandboxing and live debugging alike.

Early in Stage 3, SquidLoader invokes NtQuerySystemInformation with the undocumented SystemKernelDebuggerInformation selector; any non-zero return code signals a kernel debugger and triggers self-destruct.

It then enumerates running processes via SystemProcessInformation, blacklisting a laundry list of debuggers—from Olldbg.exe to x64dbg.exe—along with common AV agents such as MsMpEng.exe and kav.exe; detection of any target again prompts immediate termination.

A particularly thorny thread/APC trick spins up a worker thread that sleeps for 1,000,000 ms, queues an APC to itself, and waits, emulators that accelerate Sleep() or mishandle APC delivery return unexpected NTSTATUS values, causing the malware to exit before analysts can attach.

Finally, a Mandarin-language message box—“The file is corrupted and cannot be opened”—demands user interaction, a simple yet effective way to bypass automated sandboxes that lack GUI control.

Together, these layers ensure that by the time incident responders realize a beacon is calling home, SquidLoader has already slipped beneath the sonar and out to sea.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now