Date: September 26, 2025 (GMT +8)

Time: 10:40

APT41 is a sophisticated Chinese-speaking threat actor that has been targeting high-profile organizations around the world for more than a decade. Campaigns of this APT have always been regarded as astonishing, as they commonly involve use of complex implants and unique infection techniques.

While researching activities of APT41, we identified a peculiar series of attacks conducted by this actor. It turned out that these attacks had one unique detail in common, as they involved use of a highly interesting defense evasion technique. It has not been previously observed in the wild, and we dubbed it CLR DLL Side-Loading.

As the name of this technique suggests, it allows to side-load malicious DLLs into legitimate processes managed by the CLR environment that is used for running code in languages such as C#, PowerShell or Visual Basic. As we found out, CLR DLL Side-Loading is different from the traditional and well-known DLL Side-Loading technique in a way that it is has less limitations. Unlike the traditional technique, CLR DLL Side-Loading can be leveraged to abuse trusted system libraries, such as ntdll.dll. Furthermore, with this technique, the malicious DLL does not need to be stored in the same folder as the legitimate executable – thus making it more difficult for security solutions to detect side-loading.

In our talk, we firstly provide information on the discovered attacks: we discuss how the observed targets have been infected, describe the detected malicious implants, as well as explain their attribution to APT41. Then we dive into the internals of CLR DLL Side-Loading and detail how it is able to break the above-mentioned limitations of the traditional DLL Side-Loading technique. Afterwards, we demonstrate the wider implications of the discovered technique: as we have found out, it can be used not just to load DLLs into processes, but also establish persistence in interesting, undocumented ways, and even interfere with operations of security solutions. Finally, we conclude the discussion of this technique by stating how developers can prevent their software from being abused with it.

Speaker

Georgy Kucherin
Georgy Kucherin is a Security Researcher at Kaspersky’s renowned Global Research and Analysis Team. Georgy demonstrates an unwavering passion for unraveling the intricacies of complex malware and employing reverse engineering techniques to analyze and understand its inner workings. With a strong background in cybersecurity research, Georgy has contributed significantly to the field through his comprehensive investigations into advanced persistent threats (APTs) such as Operation Triangulation, FinFisher, APT41, and Lazarus. Georgy actively shares his research findings at prominent conferences, where his presentations captivate audiences and contribute to the collective knowledge of the cybersecurity community.

« Back