New SquidLoader Variant Unleashed: Stealthy Malware Hits Hong Kong Financial Sector Undetected
A newly discovered version of the SquidLoader malware has surfaced during a targeted attack on institutions in Hong Kong, sparking significant concern within the financial sector. Of particular alarm is its near-complete evasion of detection by antivirus solutions, rendering it virtually invisible to conventional security systems.
The malicious campaign begins with phishing emails written in Chinese, crafted to resemble legitimate financial correspondence. These messages contain encrypted RAR archives protected by passwords, which conceal executable files disguised as Word documents or seemingly harmless system components, such as AMDRSServ.exe. Upon execution, SquidLoader copies itself to the C:\Users\Public directory under the name setup_xitgutx.exe, and alters the __scrt_common_main_seh function in the CRT prologue, allowing its malicious logic to execute before the program’s main code begins.
Analysis reveals a multi-stage infection architecture. Initially, encoded bytes are decrypted using a simple algorithm — byte-wise XOR with the key 0xF4, followed by an addition of 19 — revealing the next payload layer.
In its second stage, SquidLoader evades conventional analysis by using PEB walking to dynamically resolve API calls from ntdll.dll and kernel32.dll, overwriting names to conceal traces of invocation. Pointers and metadata are stored in unused regions of the PEB for rapid access, while a complex web of conditional jumps thwarts decompilation and static analysis.
The malware also employs a suite of sandbox and debugger evasion techniques. It checks for usernames, known debugging tools (such as OllyDbg, IDA Pro, and x64dbg), and antivirus activity, notably Windows Defender. Rare system calls are leveraged—such as NtQueryInformationProcess with code 0x1e to detect debuggers, and NtQuerySystemInformation with code 0x23 to identify kernel-level debugging. Upon detecting anomalies, the process terminates immediately.
A particularly novel evasion method involves the use of emulation bypass. The malware spawns a thread that sleeps for 16 minutes, then uses the APC queue and NtWaitForSingleObject to verify if the expected code was executed. Emulators and sandboxes typically fail to accurately replicate this scenario, prompting the malware to self-destruct.
Further obfuscation includes dynamic string masking, detection of Microsoft Emulator via NtIsProcessInJob, and the display of a fake error message in Chinese, claiming file corruption and requesting user action—thereby disabling analysis in GUI-less environments.
Once all evasion layers are cleared, SquidLoader establishes a connection with its command-and-control server, disguising its traffic as Kubernetes API requests. It exfiltrates system information, including IP address, username, operating system version, PID, and administrator status. Subsequently, a Cobalt Strike Beacon payload is injected and executed in memory, enabling remote access and lateral movement to additional control nodes.
Similar malware samples have been identified targeting entities in Singapore, China, and Australia. All exhibit comparable Kubernetes-themed obfuscation, pointing to a coordinated, global campaign. The phishing emails, dated March 31, 2025, included password-protected archives using the password “20250331” and referenced bond registration topics—an effective social engineering lure.
The convergence of near-undetectability, technical sophistication, and regional customization marks SquidLoader as one of the most formidable threats to financial institutions. Enhancing behavioral monitoring and proactively hunting for indicators of compromise has become a mission-critical imperative.
