Exploiting Trusted Applications: GitKraken DLL Sideloading Campaign

By Mallikarjun Wali, Mohideen Abdul Khader and Sangram Mohapatro · August 21, 2025

Executive summary

The Trellix Advanced Research Center has identified an active malware campaign exploiting a DLL sideloading vulnerability in the legitimate and signed “ahost.exe” utility distributed with the GitKraken Desktop application, which is a widely used Git-based developer tool. Attackers leverage this vulnerability by bundling a malicious 'libcares-2.dll' with the legitimate executable, often renaming 'ahost.exe' to match the campaign theme. This technique enables the malware to evade traditional, signature-based security solutions.

The campaign primarily delivers commodity malware, including infostealers (AgentTesla, FormBook, Lumma Stealer, Vidar, CryptBot) and Remote Access Trojans, aka RATs (Remcos, QuasarRAT, DCRat, XWorm), disguised as business documents. Targets are typically employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors such as oil and gas and import/export. The attackers use localized filenames in multiple languages like Arabic, Spanish, Portuguese, Farsi, and English, indicating a global and tailored approach.

DLL sideloading enables the malware to evade legacy security solutions that rely solely on signature-based detection and static indicators of compromise. The exploitation of trusted applications poses significant risk to target organizations that lack advanced endpoint detection and response (EDR) or extended detection and response (XDR) solutions. This campaign highlights the critical need for organizations to implement advanced EDR solutions, robust application control policies, and endpoint hardening. They should also maintain up-to-date threat intelligence to detect and respond to these attacks effectively.

Exploitation of legitimate ahost.exe utility

The core of this campaign lies in the abuse of a legitimate, signed utility from GitKraken, ahost.exe. This utility, designed to retrieve DNS records, relies on libcares-2.dll, a Windows DLL from the c-ares DNS resolver library. The key vulnerability is that the design of ahost.exe is susceptible to DLL side-loading or search order hijacking. An attacker can exploit this vulnerability by placing a malicious DLL, named libcares-2.dll, in the same directory as ahost.exe, thereby gaining unauthorized access.

This tactic is effective because it leverages the inherent trust users place in signed and legitimate applications, making detection more challenging.

What is DLL sideloading?

DLL sideloading is a technique used by attackers especially by advanced persistent threat (APT) groups where an attacker exploits the way Windows applications load DLLs. This can allow malicious DLLs to be loaded instead of legitimate ones, often to execute code in a trusted application's context, effectively evading detection mechanisms.

Sideloading Flow Chart:

1. Attacker finds a vulnerable executable (a signed and trusted .exe that loads DLLs from its directory)
2. Creates a malicious DLL with the same name as a DLL the application tries to load
3. Places both the trusted executable and the malicious DLL in the same directory
4. When the .exe runs, it loads the malicious DLL, executing attacker code

Campaign reach and disguise tactics

Trellix has identified that ahost.exe is associated with multiple malware campaigns, including XWorm and DCRat. This file has been submitted to VirusTotal numerous times under various names, with 190 submissions from 115 unique submitters, first seen in the United States and last seen in Egypt. This suggests a widespread distribution effort.

Attackers employ various deceptive filenames to lure victims into execution, mimicking legitimate documents or orders. Examples include:

• order.exe
• protect.exe
• ESTADO DE CUENTA 24 de abril del 2025.ex_ RFQ 536120 -R43500 V5560001/RFQ 536120 -R43500 V5560001.exe
• FXCREX.exe
• 1DOC-PDF.exe
• Your file name without extension goes here.exe
• PO-069709-MQ02959-Order-S103509.exe
• Faktura od DHL.exe

These filenames indicate a likely phishing component, where users are tricked into opening seemingly innocuous files.

DCRat malware and persistence mechanism

One prominent campaign identified uses the DCRat (DarkCrystal RAT) malware. In this specific instance, threat actors renamed the ahost.exe executable to 1DOC-PDF.exe. This sample included a malicious libcares-2.dll, identified as DCrat malware. Executing the renamed file triggers the invocation of the malicious DLL.

The DCrat DLL executes and launches Addinprocess32.exe. It then injects itself into this process before terminating. Analysis of the infected Addinprocess32.exe reveals an injected MZ file. Examination of the strings within this file shows associations with DCRat. Even after the initial parent process is terminated, DCRat persists in running under the guise of AddInProcess32.

DCrat reference in strings

DCRat Mutex

DNS connections initiated by DCRat:

Conclusion

The GitKraken DLL sideloading campaign poses a significant threat, utilizing trusted software and advanced attack techniques to distribute malware such as DCRat. The campaign's active and adaptable nature is evident from the widespread VirusTotal submissions and the variety of deceptive filenames.

Given the pervasive nature of this threat, it is important for organizations to adopt strict measures to eliminate the risks posed by the threat actors. This malware campaign highlights the growing threat of DLL sideloading attacks that exploit trusted, signed utilities like GitKraken’s ahost.exe to bypass security defenses. By leveraging legitimate software and abusing its DLL loading process, threat actors can stealthily deploy powerful malware such as XWorm and DCRat, enabling persistent remote access and data theft.

Trellix Endpoint Security (ENS) offers a powerful, multilayered approach to defending against advanced threats like the GitKraken DLL sideloading campaign. Trellix ENS combines several security controls to create a proactive defense posture, thereby moving beyond a reliance on signature-based detection.

Key to this strategy is the ability to configure and manage Exploit Prevention settings. This includes customizing exclusions to prevent legitimate applications from being flagged, and fine-tuning Trellix-defined signatures to block known exploit techniques. Furthermore, organizations can manage Trellix-defined application protection rules, enabling them to control which applications are monitored and how they behave. For even greater control, you can create and duplicate custom rules to address specific threats or tailor protection to your environment, with any changes persisting through content updates.

By integrating strong endpoint hardening with advanced behavioral detection and automated response capabilities, Trellix ENS allows organizations to move from a reactive to a proactive security model. This comprehensive defense strategy effectively mitigates the risks posed by DLL sideloading and other evasive techniques, ensuring the security of systems against an ever-evolving landscape of cyber threats.

Remediations from Trellix:

Behavioral Detection: Advanced EDR tools employ behavioral detection to identify malicious activity. They monitor for suspicious patterns such as unusual DLL loads, abnormal process creation, and network traffic that may indicate a threat.

Application Control: Through application control, strict allowlisting policies can be enforced to allow only trusted executables and their verified DLLs to run, thereby preventing unauthorized DLL sideloading.

Threat Intelligence: Updated threat intelligence needs to be continuously integrated. This ensures timely awareness of emerging indicators linked to the GitKraken campaign and related malware.

Automated Response: When suspicious activity is detected, automated workflows can swiftly contain the threat by quarantining compromised devices and shutting down malicious processes.

Endpoint Hardening: Strengthening endpoint configurations by disabling obsolete DLL search paths, applying current software patches, and limiting user privileges reduces the overall attack surface.

Reference:

Configure Exploit Prevention settings to block threats
Endpoint Security (ENS) | Trellix

Indicator of Compromise(IOCs):

Trellix detection signatures

Contacted Domains (C2 Communication)

hxxp[:]//dgflex[.]duckdns[.]org
The site is Categorization as “Malicious Sites” , High Risk by Trellix security in https://trustedsource.org

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/