Threat Analysis: SquidLoader - Still Swimming Under the Radar

    Wednesday, July 16, 2025 In: Threat Research Print

    Date: 07/16/2025

    Severity: High

    Summary

    A new wave of SquidLoader malware is actively targeting financial institutions in Hong Kong. This advanced malware demonstrates strong evasion techniques, showing near-zero detection of VirusTotal during analysis. SquidLoader’s attack chain leads to the deployment of a Cobalt Strike Beacon, enabling remote access and control. This blog provides a detailed technical breakdown of the sample, emphasizing its anti-analysis methods and key indicators of compromise.

    Indicators of Compromise (IOC) List 

    Domains\URLs: 

    https://39.107.156.136/api/v1/namespaces/kube-system/services

    https://8.140.62.166/api/v1/namespaces/kube-system/services

    https://38.55.194.34/api/v1/namespaces/kube-system/services

    https://47.116.178.227/api/v1/namespaces/kube-system/services

    https://121.41.14.96/api/v1/namespaces/kube-system/services

    https://47.116.178.227:443/api/v1/namespaces/kube-system/services

    Hash : 

    Bb0f370e11302ca2d7f01d64f0f45fbce4bac6fd5613d8d48df29a83d382d232

B2811b3074eff16ec74afbeb675c85a9ec1f0befdbef8d541ac45640cacc0900

6960c76b624b2ed9fc21546af98e1fa2169cd350f37f6ca85684127e9e74d89c

9dae4e219880f0e4de5bcba649fd0741e409c8a56b4f5bef059cdf3903b78ac2

34d602d9674f26fa2a141c688f305da0eea2979969f42379265ee18589751493

a244bfcd82d4bc2de30fc1d58750875b638d8632adb11fe491de6289ff30d8e5

2d371709a613ff8ec43f26270a29f14a0cb7191c84f67d49c81d0e044344cf6c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "https://39.107.156.136/api/v1/namespaces/kube-system/services" or url like "https://39.107.156.136/api/v1/namespaces/kube-system/services" or siteurl like "https://39.107.156.136/api/v1/namespaces/kube-system/services" or domainname like "https://8.140.62.166/api/v1/namespaces/kube-system/services" or url like "https://8.140.62.166/api/v1/namespaces/kube-system/services" or siteurl like "https://8.140.62.166/api/v1/namespaces/kube-system/services" or domainname like "https://38.55.194.34/api/v1/namespaces/kube-system/services" or url like "https://38.55.194.34/api/v1/namespaces/kube-system/services" or siteurl like "https://38.55.194.34/api/v1/namespaces/kube-system/services" or domainname like "https://47.116.178.227/api/v1/namespaces/kube-system/services" or url like "https://47.116.178.227/api/v1/namespaces/kube-system/services" or siteurl like "https://47.116.178.227/api/v1/namespaces/kube-system/services" or domainname like "https://121.41.14.96/api/v1/namespaces/kube-system/services" or url like "https://121.41.14.96/api/v1/namespaces/kube-system/services" or siteurl like "https://121.41.14.96/api/v1/namespaces/kube-system/services" or domainname like "https://47.116.178.227:443/api/v1/namespaces/kube-system/services" or url like "https://47.116.178.227:443/api/v1/namespaces/kube-system/services" or siteurl like "https://47.116.178.227:443/api/v1/namespaces/kube-system/services"

    Hash : 

    sha256hash IN ("Bb0f370e11302ca2d7f01d64f0f45fbce4bac6fd5613d8d48df29a83d382d232","6960c76b624b2ed9fc21546af98e1fa2169cd350f37f6ca85684127e9e74d89c","a244bfcd82d4bc2de30fc1d58750875b638d8632adb11fe491de6289ff30d8e5","B2811b3074eff16ec74afbeb675c85a9ec1f0befdbef8d541ac45640cacc0900","9dae4e219880f0e4de5bcba649fd0741e409c8a56b4f5bef059cdf3903b78ac2","34d602d9674f26fa2a141c688f305da0eea2979969f42379265ee18589751493","2d371709a613ff8ec43f26270a29f14a0cb7191c84f67d49c81d0e044344cf6c")

    Reference:    

    https://www.trellix.com/blogs/research/threat-analysis-squidLoader-still-swimming-under-the-radar/ 


    Tags

    MalwareSquidLoaderHong KongCobalt StrikeFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.