HQ/EMEAFind out how we can help your business
An ongoing cybercriminal campaign that actively targets Germany-based organisations is using DLL sideloading and proxying tactics, as well as leveraging the Sliver implant.
Reports revealed that the hackers may have modified the implant, an open-source red-teaming framework, for malicious purposes. Moreover, the researchers explained that this operation starts with a spear-phishing email with a compressed archive file called Homeoffice-Vereinbarung-2025.7z.
Once a target extracts the file, the bundle displays a deceptive shortcut (LNK) file and other concealed components. Some confirmed hidden payloads include malicious and legitimate DLLs, a data file containing encrypted shellcode, and a bogus PDF file resembling a valid remote work agreement.
The malicious Sliver implant campaign takes advantage of the German-language Home Office Agreement.
According to investigations, the new Sliver implant campaign uses a German-language Home Office Agreement that complements a current employment contract aimed at German enterprises.
The campaign’s LNK file, disguised as a PDF, also instructs cmd.exe to copy files to the newly created directory %localappdata%\InteI. It also uses wksprt.exe, a valid Windows executable, to sideload the malicious IPHLPAPI.dll.
Furthermore, the malicious DLL redirects valid function calls to a renamed authentic DLL, ensuring regular program behaviour while carrying out its malicious payload. The malicious DLL decrypts shellcode encoded in the DAT file with cryptographic APIs such as CryptAcquireContextW and CryptDecrypt before installing the Sliver infection.
Subsequently, the implant connects to distant servers in domains such as technikzwerg[.]de, allowing threat actors to execute additional malicious operations.
Further assessment of the attack also shows that the campaign uses APT29’s techniques, which have previously used DLL sideloading. However, the introduction of DLL proxying is a fresh evolution.
The campaign’s multi-stage methodology, mixed with its emphasis on evasion, presents issues for typical detection mechanisms.
The Sliver implant campaign aimed at German organisations shows threat actors’ growing complexity and sophistication. These campaigns highlight that attackers effectively overcome standard security controls by leveraging advanced evasion techniques such as DLL sideloading, DLL proxying, shellcode injection, and the Sliver framework.
