Attackers Bypass Security Using c-ares DLL Side-Loading: Commodity Malware Delivered in Active Campaign
Executive Summary
In January 2026, security researchers reported an active malware campaign leveraging DLL side-loading via the open-source c-ares library. Attackers paired a malicious 'libcares-2.dll' with the legitimate signed 'ahost.exe' to evade security controls and deploy multiple trojans and info-stealer malwares. This method exploited trust in legitimate software to bypass endpoint defenses, leading to widespread compromise across targeted organizations and enabling the theft of sensitive data and credentials. Initial access was facilitated by distributing rogue DLLs alongside trusted binaries, primarily impacting organizations with inadequate application whitelisting and file integrity controls.
This incident is particularly relevant as DLL side-loading attacks remain a favored technique for cybercriminals to circumvent detection, especially as organizations continue to migrate to cloud and hybrid environments. The campaign highlights a growing trend in software supply chain exploitation and the need for stronger endpoint and lateral movement protections.
Why This Matters Now
DLL side-loading attacks are on the rise, enabling threat actors to leverage trusted applications to evade security tools and deliver malware undetected. As organizations increase reliance on third-party and open-source components, vulnerabilities like this create urgent risks for data exfiltration, regulatory non-compliance, and business disruption.
Attack Path Analysis
Attackers exploited DLL side-loading via c-ares by introducing a malicious DLL alongside a signed ahost.exe to gain their initial foothold. After execution, they leveraged the context of the compromised process to escalate privileges and access additional resources. Through east-west traffic, they moved laterally between workloads, seeking systems for further exploitation. The malware established command & control communications to an attacker-controlled server, bypassing typical perimeter defenses. Sensitive data was exfiltrated, often through covert or policy-evading channels, before commodity malware delivered additional payloads or disrupted business operations.
Kill Chain Progression
Initial Compromise
Description
Attackers delivered a malicious DLL (libcares-2.dll) alongside a legitimate signed ahost.exe binary, exploiting the c-ares library DLL side-loading vulnerability to execute malicious code.
Related CVEs
CVE-2023-32067
CVSS 7.5A denial of service vulnerability in c-ares due to improper handling of 0-byte UDP payloads.
Affected Products:
c-ares c-ares – < 1.19.1
Exploit Status:
no public exploitCVE-2023-31147
CVSS 5.3Insufficient randomness in generation of DNS query IDs in c-ares.
Affected Products:
c-ares c-ares – < 1.19.1
Exploit Status:
no public exploitCVE-2023-31124
CVSS 3.7AutoTools does not set CARES_RANDOM_FILE during cross compilation in c-ares.
Affected Products:
c-ares c-ares – < 1.19.1
Exploit Status:
no public exploitCVE-2019-18196
CVSS 7.8A DLL side loading vulnerability in TeamViewer's Windows Service allows code execution via malicious DLL placement.
Affected Products:
TeamViewer TeamViewer – <= 14.6.4835
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
DLL Side-Loading
Phishing
Process Injection
User Execution: Malicious File
Signed Binary Proxy Execution
Obfuscated Files or Information
Command and Scripting Interpreter
Modify Registry
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Analyze Security Events
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management - Threat Detection & Response
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Application Monitoring and Threat Detection
Control ID: Applications Pillar: Visibility and Analytics
NIS2 Directive – Technical and Organizational Measures — Incident Prevention and Detection
Control ID: Article 21(2)(a),(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
DLL side-loading attacks targeting c-ares library threaten software development environments, requiring enhanced code signing validation and zero trust segmentation controls.
Financial Services
Commodity trojans and stealers delivered via legitimate binary exploitation pose severe data exfiltration risks, demanding robust egress filtering and anomaly detection.
Health Care / Life Sciences
HIPAA compliance violations likely from malware campaign bypassing security controls, necessitating encrypted traffic monitoring and threat detection capabilities for patient data.
Information Technology/IT
IT infrastructure vulnerability to signed binary abuse requires immediate implementation of inline IPS systems and multicloud visibility for comprehensive threat prevention.
Sources
- Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malwarehttps://thehackernews.com/2026/01/hackers-exploit-c-ares-dll-side-loading.htmlVerified
- c-ares vulnerabilitieshttps://c-ares.org/vulns.htmlVerified
- Hiding in Plain Sight: Deconstructing the Multi-Actor DLL Sideloading Campaign abusing ahost.exehttps://www.trellix.com/en-au/blogs/research/hiding-in-plain-sight-multi-actor-ahost-exe-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, east-west controls, and strong egress enforcement would have limited the spread of malicious code, detected lateral movement, and prevented data exfiltration or malware deployment. CNSF capabilities provide real-time visibility, microsegmentation, inline threat detection, and granular policy to significantly constrain such a kill chain.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid anomaly detection would alert on suspicious DLL loads and process behavior.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation restricts scope of escalation by segmenting workloads and limiting communication.
Control: East-West Traffic Security
Mitigation: East-west policy enforcement blocks unauthorized inter-workload communication.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 traffic is blocked or detected at the network egress.
Control: Encrypted Traffic (HPE) and Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts are blocked or immediately flagged for response.
Distributed fabric provides real-time enforcement and containment of post-compromise impact.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Operations
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive source code and internal documentation.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to strictly control workload-to-workload communications and enforce least privilege network access.
- • Deploy robust east-west traffic security to detect and block lateral movement within cloud environments.
- • Enforce strict egress filtering and URL/application controls to prevent unauthorized outbound data flows and command & control communications.
- • Enable continuous threat detection, anomaly response, and workload baselining for real-time identification of malicious behavior.
- • Ensure pervasive visibility and centralized policy management across multi-cloud and hybrid environments for rapid incident response.
